CVE-2024-6724: 
WordPress vulnerability analysis and mitigation

The Generate Images WordPress plugin (also known as Magic Post Thumbnail) before version 5.2.8 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered on July 22, 2024, and affects high-privilege users such as administrators, particularly in multisite setups where the unfiltered_html capability is disallowed (WPScan).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. The affected fields include Google Image API settings (Custom Search Engine ID and Google API Key), DALLE-E v3 API Key, and Pixabay credentials (username and API key). The vulnerability has been assigned a CVSS 3.1 score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (CISA-ADP).

When exploited, this vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is disabled. This is particularly relevant in multisite WordPress installations (WPScan).

The vulnerability has been fixed in version 5.2.8 of the Generate Images (Magic Post Thumbnail) plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).