CVE-2024-8703: 
WordPress vulnerability analysis and mitigation

CVE-2024-8703 affects the Z-Downloads WordPress plugin versions before 1.11.6. The vulnerability was discovered by Minh Giang & Christopher Houk and was publicly disclosed on September 18, 2024. This security issue exists in the plugin's handling of parameters in share URLs (WPScan).

The vulnerability is classified as an Unauthenticated Stored Cross-Site Scripting (XSS) issue, identified as CWE-79. It has received a CVSS score of 8.8 (high) and CISA-ADP Base Score of 6.1 (medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability stems from the plugin's failure to properly sanitize and escape parameters when outputting them in the page, particularly when accessing share URLs (Wiz, NVD).

The vulnerability enables unauthenticated visitors to perform Cross-Site Scripting attacks through share URLs. The high CVSS score indicates significant potential impact on data confidentiality and integrity. Successful exploitation could allow attackers to inject malicious scripts that execute in users' browsers, potentially leading to session hijacking, credential theft, or other client-side attacks (Wiz).

The vulnerability has been patched in version 1.11.6 of the Z-Downloads plugin. Website administrators are strongly advised to update to this version or later to protect against potential attacks (WPScan).