CVE-2024-6927: 
WordPress vulnerability analysis and mitigation

The Viral Signup WordPress plugin through version 2.1 contains a stored Cross-Site Scripting (XSS) vulnerability. The plugin fails to properly sanitize and escape some of its settings, which affects high-privilege users such as administrators, even when the unfiltered_html capability is disallowed, such as in multisite setups (WPScan, NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The issue stems from inadequate input validation and sanitization of plugin settings, allowing for stored XSS attacks (NVD).

When exploited, this vulnerability allows high-privilege users to store and execute malicious JavaScript code in the plugin settings. This can lead to potential client-side attacks against other administrators accessing the affected pages, even in environments where unfiltered HTML is explicitly disallowed (WPScan).

Currently, there is no known fix available for this vulnerability. Users of the Viral Signup WordPress plugin should consider implementing additional security measures or temporarily disabling the plugin until a security patch is released (WPScan).