CVE-2024-9446: 
WordPress vulnerability analysis and mitigation

The WP Simple Anchors Links plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-9446) that affects all versions up to and including 1.0.0. The vulnerability was discovered and disclosed on October 30, 2024, leading to the plugin being closed in the WordPress repository. The vulnerability exists in the plugin's wpanchor shortcode functionality (Wordfence).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the wpanchor shortcode. The issue has been assigned a CVSS v3.1 score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Cross-site Scripting) (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to theft of sensitive information or manipulation of page content (NVD).

Due to the security issue, the plugin has been closed and is no longer available for download from the WordPress plugin repository as of October 30, 2024. Users are advised to remove the plugin from their WordPress installations (WordPress Plugin).