CVE-2024-13377: 
WordPress vulnerability analysis and mitigation

The Gravity Forms plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-13377) in versions up to and including 2.9.1.3. The vulnerability exists in the 'alt' parameter due to insufficient input sanitization and output escaping. This security issue was discovered and reported by mikemyers via Wordfence, and was addressed in version 2.9.2 released on January 16, 2025 (NVD).

The vulnerability is classified as a CWE-79 (Improper Neutralization of Input During Web Page Generation) issue. It has received a CVSS v3.1 Base Score of 7.2 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N. The vulnerability stems from insufficient input sanitization and output escaping mechanisms in the plugin's handling of the 'alt' parameter (NVD).

When exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an injected page, potentially leading to compromised user sessions and data theft (NVD).

The recommended mitigation is to update to Gravity Forms version 2.9.2 or later, which includes security enhancements that address this vulnerability. The fix was released as part of the January 16, 2025 update (Gravity Forms Changelog).