CVE-2024-6074: 
WordPress vulnerability analysis and mitigation

The wp-cart-for-digital-products WordPress plugin before version 8.5.5 contains a Reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-6074. The vulnerability was discovered on July 15, 2024, and affects the customer editing functionality in the plugin's admin interface. The issue stems from improper parameter sanitization and escaping before output, potentially impacting high-privilege users such as administrators (WPScan).

The vulnerability exists due to insufficient input sanitization in the customer editing functionality. When processing parameters in the admin interface, specifically in the URL path 'wp-admin/admin.php?page=wpeStorecustomer_addedit&editcustomer=', the plugin fails to properly sanitize and escape user input before reflecting it back in the page. The vulnerability has received a CVSS v3.1 base score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows attackers to execute cross-site scripting attacks against high-privilege users such as administrators. When successfully exploited, this could lead to unauthorized actions being performed in the context of the administrator's session, potentially compromising the security of the WordPress installation (WPScan).

Users are advised to update their wp-cart-for-digital-products WordPress plugin to version 8.5.5 or later, which contains the fix for this vulnerability (NVD).