CVE-2024-9638: 
WordPress vulnerability analysis and mitigation

The Category Posts Widget WordPress plugin before version 4.9.18 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-9638. The vulnerability was discovered and disclosed on December 17, 2024, affecting WordPress installations using the Category Posts Widget plugin (WPScan).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. This security flaw exists even when the unfiltered_html capability is disallowed, such as in multisite setups. The vulnerability has been assigned a CVSS 3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks. This could potentially lead to client-side code execution in the context of other users' browsers who view the affected pages (WPScan).

The vulnerability has been patched in version 4.9.18 of the Category Posts Widget plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).