CVE-2024-8426: 
WordPress vulnerability analysis and mitigation

The Page Builder: Pagelayer WordPress plugin before version 1.8.8 contains a Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-8426. The vulnerability was discovered by Jeewan Kumar Bhatta and was publicly disclosed on July 28, 2024. This security issue affects the plugin's settings functionality, specifically impacting high-privilege users such as administrators (WPScan).

The vulnerability stems from improper sanitization and escaping of certain plugin settings, which persists even when the unfiltered_html capability is disallowed. The issue has been classified as CWE-79: Cross-Site Scripting and falls under the OWASP Top 10 category A7: Cross-Site Scripting (XSS). The vulnerability has been assigned a CVSS score of 3.5 (low severity) by WPScan, while CISA-ADP has rated it with a base score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (WPScan, Wiz).

When exploited, the vulnerability allows high-privilege users such as administrators to perform Cross-Site Scripting attacks. The XSS payload triggers every time the affected page is loaded and when users click on the Pagelayer settings tab (WPScan).

The vulnerability has been addressed and fixed in version 1.8.8 of the Pagelayer plugin. Users are strongly advised to update to this version or later to mitigate the security risk (WPScan).