CVE-2024-6158: 
WordPress vulnerability analysis and mitigation

CVE-2024-6158 affects the Category Posts Widget WordPress plugin (versions before 4.9.17) and term-and-category-based-posts-widget WordPress plugin (versions before 4.9.13). The vulnerability was discovered and disclosed on August 12, 2024, by Dmitrii Ignatyev (WPScan).

The vulnerability is a Stored Cross-Site Scripting (XSS) issue that occurs due to insufficient validation and escaping of the 'Category Posts' widget settings before outputting them back in a page/post where the Widget is embedded. The vulnerability has received a CVSS v3.1 Base Score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (CISA-ADP).

The vulnerability allows high privilege users such as administrators to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed, which is particularly concerning in multisite setups. When successfully exploited, the XSS payload will be triggered on any page in the frontend (WPScan).

Users should update their installations to Category Posts Widget version 4.9.17 or later for the free version, or to version 4.9.13 or later for the Pro version to mitigate this vulnerability (WPScan).