CVE-2024-6494: 
WordPress vulnerability analysis and mitigation

The WordPress File Upload plugin before version 4.24.8 contains a security vulnerability identified as CVE-2024-6494. This vulnerability is characterized as an Unauthenticated Stored Cross-Site Scripting (XSS) issue, which was discovered and reported by Majdeddine Ben Hadj Brahim. The vulnerability affects all versions of the WordPress File Upload plugin prior to version 4.24.8 (WPScan).

The vulnerability stems from improper sanitization and escaping of certain parameters in the WordPress File Upload plugin. The issue has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified under CWE-79: Cross-Site Scripting (NVD).

When exploited, this vulnerability allows unauthenticated users to execute stored cross-site scripting (XSS) attacks. The successful exploitation could lead to the execution of arbitrary web scripts in the context of other users' browsers, potentially compromising sensitive information or performing actions on behalf of other users (WPScan).

The vulnerability has been patched in version 4.24.8 of the WordPress File Upload plugin. Users are strongly advised to update to this version or later to mitigate the security risk (WPScan).