CVE-2024-6617: 
WordPress vulnerability analysis and mitigation

The NinjaTeam Header Footer Custom Code WordPress plugin before version 1.2 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability exists because the plugin does not properly sanitize and escape some of its settings, which could allow high-privilege users such as administrators to perform Stored XSS attacks even when the unfiltered_html capability is disallowed, such as in multisite setups (WPScan, NVD).

The vulnerability has been assigned CVE-2024-6617 with a CVSS v3.1 base score of 4.8 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability specifically affects the CSS settings field in the plugin, where unsanitized input can lead to XSS execution (NVD).

When exploited, this vulnerability allows high-privilege users to execute stored Cross-Site Scripting attacks. This is particularly significant in multisite WordPress setups where even administrators are typically restricted from using unfiltered HTML (WPScan).

Users should update to version 1.2 or later of the NinjaTeam Header Footer Custom Code plugin to address this vulnerability (WPScan).