CVE-2024-8799: 
WordPress vulnerability analysis and mitigation

The Custom Banners plugin for WordPress (versions up to 3.3) contains a Reflected Cross-Site Scripting vulnerability (CVE-2024-8799) discovered and reported by Wordfence. The vulnerability was disclosed on October 1, 2024, and affects the plugin due to improper escaping of the URL in the addqueryarg function (NVD).

The vulnerability is classified as a Reflected Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 6.1 (Medium). The attack vector is characterized as Network (N) with Low attack complexity (L), requiring no privileges (PR:N) but does need user interaction (UI:R). The scope is changed (S:C) with Low confidentiality and integrity impacts (C:L, I:L) and no availability impact (A:N) (NVD).

If successfully exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. This could lead to the compromise of user sessions, theft of sensitive information, or manipulation of webpage content (NVD).

Users of the Custom Banners plugin should upgrade to a version newer than 3.3 as soon as possible to address this vulnerability. The vulnerability exists in all versions up to and including version 3.3 (NVD).