CVE-2024-9662: 
WordPress vulnerability analysis and mitigation

The CYAN Backup WordPress plugin before version 2.5.3 contains a stored Cross-Site Scripting (XSS) vulnerability that was discovered by Bob Matyas and publicly disclosed on October 8, 2024. The vulnerability affects the plugin's general settings functionality and impacts WordPress installations using this plugin (WPScan).

The vulnerability stems from improper sanitization and escaping of settings within the plugin. This security flaw specifically affects the plugin's settings functionality, allowing high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed, which is particularly relevant in multisite setups. The vulnerability has been assigned a CVSS score of 5.4 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (CISA-ADP, Wiz).

The vulnerability allows authenticated users with administrative privileges to inject and store malicious JavaScript code in the plugin's settings. When other users access the affected pages, the stored malicious code executes in their browsers, potentially leading to unauthorized actions or data theft (Wiz).

Users should update to CYAN Backup version 2.5.3 or later, which contains the fix for this vulnerability (WPScan).