CVE-2024-7878: 
WordPress vulnerability analysis and mitigation

The WP ULike WordPress plugin before version 4.7.4 contains a stored Cross-Site Scripting (XSS) vulnerability. This security issue was discovered and publicly disclosed on September 4, 2024, and was assigned the identifier CVE-2024-7878. The vulnerability affects the plugin's settings functionality and impacts WordPress installations using the WP ULike plugin versions prior to 4.7.4 (WPScan, NVD).

The vulnerability stems from improper sanitization and escaping of certain settings within the plugin. It has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is explicitly disallowed, such as in multisite setups. This could potentially lead to the execution of malicious JavaScript code in users' browsers (WPScan).

The vulnerability has been patched in version 4.7.4 of the WP ULike plugin. Site administrators are strongly advised to update to this version or later to mitigate the security risk (WPScan).