CVE-2024-6864: 
WordPress vulnerability analysis and mitigation

The WP Last Modified Info plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-6864) in versions up to and including 1.9.0. The vulnerability exists in the 'template' attribute of the lmt-post-modified-info shortcode due to insufficient input sanitization and output escaping (NVD).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 5.4 (Medium) according to NVD, and 6.4 (Medium) according to Wordfence. The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L). The vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts that execute when users access the affected pages (NVD).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access to inject malicious web scripts into pages. These scripts will execute whenever a user accesses an affected page, potentially leading to unauthorized actions or data theft (NVD).

The vulnerability has been patched in version 1.9.1 of the WP Last Modified Info plugin. Users are advised to update to this version or later to protect against this security issue (WordPress Plugin).