CVE-2024-7302: 
WordPress vulnerability analysis and mitigation

The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin is vulnerable to Stored Cross-Site Scripting (XSS) via 3gp2 file uploads in versions up to and including 7.5.4. The vulnerability was disclosed on August 1, 2024, and is tracked as CVE-2024-7302 (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's file upload functionality. The issue has been assigned a CVSS v3.1 Base Score of 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) (NVD).

When exploited, this vulnerability allows authenticated attackers with author-level access or above to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the uploaded 3gp2 file, potentially compromising the security of site visitors (NVD).

Users are advised to update to a version newer than 7.5.4 to address this vulnerability. The fix has been implemented in subsequent versions of the plugin (WordPress Plugin).