CVE-2024-8759: 
WordPress vulnerability analysis and mitigation

The Nested Pages WordPress plugin before version 3.2.9 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-8759. The vulnerability was discovered in the plugin's settings functionality, where certain fields lack proper sanitization and escaping mechanisms. This security issue affects high-privilege users such as administrators, particularly in multisite WordPress installations where the unfiltered_html capability is disabled (WPScan).

The vulnerability stems from improper sanitization and escaping of settings in the Nested Pages plugin. Specifically, the issue manifests in the 'All Pages view' functionality where the Title field of child pages lacks proper input sanitization. The vulnerability has been assigned a CVSS 3.1 score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows high-privilege users to perform Stored Cross-Site Scripting attacks. This is particularly significant in multisite WordPress installations where the unfiltered_html capability is typically disabled as a security measure. The impact is limited to scenarios where an attacker has administrative access to the WordPress installation (WPScan).

The vulnerability has been patched in version 3.2.9 of the Nested Pages plugin. Site administrators are strongly advised to update to this version or later to mitigate the risk. No alternative workarounds have been publicly documented (WPScan).