CVE-2024-9066: 
WordPress vulnerability analysis and mitigation

The Marketing and SEO Booster plugin for WordPress (CVE-2024-9066) is a Stored Cross-Site Scripting vulnerability affecting all versions up to and including 1.9.10. The vulnerability was discovered and disclosed on October 9, 2024, impacting the WordPress plugin ecosystem (NVD).

The vulnerability stems from insufficient input sanitization and output escaping when handling SVG file uploads. This security flaw has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NVD with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. Wordfence has assigned a slightly higher CVSS score of 6.4 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the SVG file, potentially compromising the security of site visitors (NVD).

The plugin has been closed as of October 8, 2024, due to security issues and is no longer available for download from the WordPress plugin repository (WordPress Plugin). Users are advised to remove this plugin from their WordPress installations to prevent potential exploitation.