CVE-2024-9656: 
WordPress vulnerability analysis and mitigation

The Mynx Page Builder plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-9656) that affects all versions up to and including 0.27.8. The vulnerability was disclosed on October 12, 2024, and the plugin has been subsequently closed on October 10, 2024 due to security issues (NVD, WordPress Plugin).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue (CWE-79) that occurs due to insufficient input sanitization and output escaping when handling SVG file uploads. The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the affected SVG file (NVD).

The plugin has been closed and is no longer available for download from the WordPress plugin repository as of October 10, 2024. Users are advised to remove the plugin from their WordPress installations due to the security issue (WordPress Plugin).