CVE-2024-6536: 
WordPress vulnerability analysis and mitigation

CVE-2024-6536 affects the Zephyr Project Manager WordPress plugin versions before 3.3.99. The vulnerability was discovered and reported by Adrian Peña Barragan, with public disclosure on July 30, 2024. The plugin fails to properly sanitize and escape certain settings, potentially exposing WordPress installations to security risks (NVD CVE, WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, categorized under CWE-79. It has been assigned a CVSS v3.1 base score of 3.5 (Low severity). The vulnerability specifically affects the plugin's settings handling mechanism, where certain configuration options are not properly sanitized or escaped, particularly impacting high-privilege users such as editors and administrators, even when the unfiltered_html capability is disallowed in multisite setups (WPScan).

The vulnerability allows high-privilege users (editors and administrators) to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is disabled, such as in multisite configurations. This could potentially lead to unauthorized script execution in the context of other users' sessions (NVD CVE).

The vulnerability has been patched in version 3.3.99 of the Zephyr Project Manager plugin. Users are strongly advised to update to this version or later to mitigate the security risk (WPScan).