CVE-2024-9454: 
WordPress vulnerability analysis and mitigation

The PriPre plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-9454) affecting all versions up to and including 0.4.11. The vulnerability was discovered and disclosed by Wordfence, with the plugin being closed on October 21, 2024, due to security issues (NVD, WordPress Plugin).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's handling of SVG file uploads. This allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the affected SVG file. The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

The vulnerability enables attackers to execute arbitrary web scripts in the context of other users' browsers when they access the compromised SVG file. This could lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the victim's browser session (NVD).

The plugin has been closed and is no longer available for download from the WordPress plugin repository as of October 21, 2024. Users should immediately remove the plugin from their WordPress installations to mitigate the security risk (WordPress Plugin).