CVE-2024-11402: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the WP-speedup Block Editor Bootstrap Blocks WordPress plugin, affecting versions through 6.6.1. The vulnerability was discovered by Le Ngoc Anh from sun*inc and was publicly disclosed on November 20, 2024 (Patchstack, Wordfence).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79). It has been assigned a CVSS v3.1 score of 7.1 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. This indicates that the vulnerability can be exploited remotely, requires low attack complexity, needs no privileges, but does require user interaction (Patchstack).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site (Patchstack).

The vulnerability has been patched in version 6.6.2 of the Block Editor Bootstrap Blocks plugin. Users are advised to update to version 6.6.2 or later immediately. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).