CVE-2024-9457: 
WordPress vulnerability analysis and mitigation

The WP Builder plugin for WordPress (versions up to 3.0.7) contains a Stored Cross-Site Scripting vulnerability identified as CVE-2024-9457. The vulnerability was discovered and disclosed on October 9, 2024, affecting the SVG file upload functionality. The plugin has been closed since October 8, 2024, due to this security issue (NVD, WordPress Plugin).

The vulnerability stems from insufficient input sanitization and output escaping in the SVG file upload functionality. It has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Wordfence assessed it at 6.4 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

When exploited, this vulnerability allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the affected SVG file, potentially compromising the security of the website and its users (NVD).

The plugin has been closed due to this security issue. Users should immediately remove the WP Builder plugin from their WordPress installations to mitigate the risk (WordPress Plugin).