CVE-2024-9368: 
WordPress vulnerability analysis and mitigation

The Aggregator Advanced Settings plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-9368) affecting all versions up to and including 1.2.1. The vulnerability was discovered and disclosed on October 4, 2024, impacting WordPress installations with the affected plugin versions (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's SVG file upload functionality. The issue has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NVD with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Wordfence assessed it at 6.4 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Cross-site Scripting) (NVD).

When exploited, this vulnerability allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised SVG file (NVD).

The plugin has been closed as of October 2, 2024, and is no longer available for download due to this security issue. Users should immediately remove the plugin from their WordPress installations (WordPress Plugin).