CVE-2024-9771: 
WordPress vulnerability analysis and mitigation

The WP-Recall WordPress plugin before version 16.26.12 contains a security vulnerability that affects its settings functionality. The plugin fails to properly sanitize and escape certain settings, potentially allowing high-privilege users such as administrators to perform Stored Cross-Site Scripting (XSS) attacks, even in environments where the unfiltered_html capability is disabled, such as in multisite setups (WPScan, NVD).

The vulnerability is classified as a Cross-site Scripting (CWE-79) issue with a CVSS v3.1 base score of 3.5 (LOW), with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N. The vulnerability specifically affects the settings page of the plugin, where certain input fields are not properly sanitized before being stored and displayed (WPScan).

When exploited, this vulnerability allows privileged users to store and execute malicious JavaScript code on the website. This can lead to potential client-side attacks against other users who access the affected pages, even in environments where unfiltered HTML is typically restricted (WPScan).

Users are advised to update their WP-Recall plugin to version 16.26.12 or later, which contains the fix for this vulnerability (WPScan).