CVE-2024-8492: 
WordPress vulnerability analysis and mitigation

CVE-2024-8492 affects the Hustle WordPress plugin through version 7.8.5. The vulnerability was discovered and reported by Dmitrii Ignatyev, with public disclosure occurring on July 29, 2024. This security flaw exists in the plugin's settings functionality where insufficient sanitization and escaping of certain parameters could lead to Cross-Site Scripting (XSS) attacks (WPScan).

The vulnerability stems from improper input validation in the Hustle WordPress plugin's settings, particularly affecting the pop-up functionality. The security flaw allows high-privilege users such as editors to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. The vulnerability has been assigned a CVSS 3.1 base score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NIST NVD, Wiz).

When successfully exploited, this vulnerability enables attackers with editor-level privileges to inject and execute malicious JavaScript code in the context of other users' browsers who visit the affected pages. This could potentially lead to session hijacking, website defacement, or other client-side attacks (Wiz).

The vulnerability has been addressed in version 7.8.5 of the Hustle plugin. Users are strongly advised to update to this version or later to mitigate the risk (WPScan).