Can you explain this vulnerability to me?

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Interactive Human Anatomy with Clickable Body Parts WordPress plugin up to version 2.6. It occurs because the plugin does not properly sanitize input or escape output in admin settings, allowing authenticated users with administrator-level permissions to inject malicious scripts. These scripts execute whenever a user accesses the affected page. The vulnerability affects only multi-site installations or those where unfiltered_html is disabled.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

An attacker with administrator-level access can inject malicious scripts that execute in the context of users visiting the infected pages. This can lead to unauthorized actions, data theft, session hijacking, or other malicious activities affecting users of the site. Since the vulnerability requires high privileges and affects multi-site or restricted HTML installations, the impact is limited to such environments but can still compromise site security and user trust.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Interactive Human Anatomy with Clickable Body Parts plugin to a version later than 2.6 once available. Additionally, ensure that only trusted administrators have access to the admin settings, and consider enabling unfiltered_html if it is safe to do so in your environment. For multi-site installations, review and restrict administrator permissions carefully to prevent exploitation.

Useful 0 Not Useful 0