CVE-2024-6691: 
WordPress vulnerability analysis and mitigation

The Easy Digital Downloads WordPress plugin (eCommerce Store + Payments Made Easy) contains a Stored Cross-Site Scripting vulnerability (CVE-2024-6691) in versions up to and including 3.3.2. The vulnerability exists due to insufficient input sanitization and output escaping of the currency value. This security issue affects multi-site installations and installations where unfiltered_html has been disabled (Wordfence Advisory).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 4.0 (Medium) according to NVD, and 4.4 (Medium) according to Wordfence. The CVSS vector string is CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N, indicating that the vulnerability requires network access, high attack complexity, high privileges, and user interaction (NVD).

When exploited, this vulnerability allows authenticated attackers with administrator-level access to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the affected pages (NVD).

The vulnerability has been patched in version 3.3.3 of the Easy Digital Downloads plugin. Users are advised to update to this version or later to mitigate the risk (WordPress Patch).