CVE-2024-8243: 
WordPress vulnerability analysis and mitigation

The WordPress Plugin Upgrade Time Out Plugin through version 1.0 contains a vulnerability that combines Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) issues. The plugin lacks proper CSRF checks in certain areas and is missing proper sanitization and escaping mechanisms. This vulnerability was discovered and publicly disclosed on March 19, 2025 (WPScan).

The vulnerability stems from the absence of CSRF protection mechanisms and inadequate input sanitization in the plugin's implementation. The CVSS 3.1 score is 6.3 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L. The vulnerability is classified under OWASP Top 10 category A2: Broken Authentication and Session Management and is associated with CWE-352 (WPScan).

When successfully exploited, this vulnerability allows attackers to make logged-in administrators inadvertently add stored XSS payloads through CSRF attacks. This combination of CSRF and stored XSS could lead to persistent malicious scripts being executed in the administrator's context (WPScan).

Currently, there is no known fix available for this vulnerability. Users of the WordPress Plugin Upgrade Time Out Plugin should consider removing or disabling the plugin until a security update is released (WPScan).