CVE-2024-6625: 
WordPress vulnerability analysis and mitigation

The WP Total Branding WordPress plugin (versions up to 1.2) contains a Stored Cross-Site Scripting vulnerability (CVE-2024-6625) discovered in July 2024. This vulnerability affects the admin settings functionality and is specifically present in multi-site installations and installations where unfiltered_html has been disabled (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the admin settings of the plugin. This security flaw has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N, indicating a network-accessible vulnerability requiring high privileges but no user interaction (NVD).

When exploited, this vulnerability allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page (NVD).

The vulnerability has been addressed in version 1.3 of the WP Total Branding plugin, released on July 10, 2024. The update includes improved settings sanitization and addresses the XSS vulnerability (WordPress Plugin).