CVE-2024-8987: 
WordPress vulnerability analysis and mitigation

The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's youzify_media shortcode in versions up to and including 1.3.0. The vulnerability was discovered and disclosed on October 9, 2024 (NVD).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the youzify_media shortcode. The CVSS v3.1 base score is 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) (NVD).

This vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the injected page, potentially leading to session hijacking or other client-side attacks (NVD).

Users should upgrade to version 1.3.1 or later which contains security fixes for this vulnerability (WordPress Plugin).