CVE-2024-10715: 
WordPress vulnerability analysis and mitigation

The MapPress Maps for WordPress plugin (versions up to 2.94.1) was identified with a Stored Cross-Site Scripting vulnerability (CVE-2024-10715). The vulnerability was discovered and reported on November 6, 2024, affecting the plugin's Map block functionality. The issue stems from insufficient input sanitization and output escaping on user-supplied attributes (NVD CVE).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It received a CVSS v3.1 base score of 5.4 (MEDIUM) from NIST with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Wordfence assessed it at 6.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD CVE).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts execute whenever a user accesses the compromised page, potentially leading to client-side attacks and data theft (NVD CVE).

Users should update their MapPress Maps for WordPress plugin to version 2.94.2 or later, which contains the security fix for this vulnerability (WordPress Plugin).