CVE-2024-11445 is a stored cross-site scripting vulnerability in the Image Magnify WordPress plugin by sazzadh. It affects all versions up to and including 1.1. The flaw is due to improper neutralization of input during web page generation, specifically insufficient input sanitization and output escaping on attributes passed to the 'image_magnify' shortcode. Authenticated users with contributor-level privileges or higher can inject arbitrary JavaScript code that executes in the context of users viewing the compromised page. This can lead to limited confidentiality and integrity impacts but no availability impact. The CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, reflecting network attack vector, low attack complexity, required privileges, no user interaction, scope change, and partial confidentiality and integrity impact.

An attacker with contributor-level access or higher can inject persistent malicious scripts into pages using the vulnerable shortcode. These scripts execute in the browsers of users who visit the infected pages, potentially leading to theft of sensitive information or manipulation of page content. The impact is limited to confidentiality and integrity with no direct availability impact. Because the vulnerability requires authenticated access, the risk is somewhat reduced compared to unauthenticated XSS. No known exploits are reported in the wild.

No official patch or fix is currently available for this vulnerability. Users should monitor the vendor's advisory channels for updates. As a temporary mitigation, restrict contributor-level access to trusted users only and consider disabling or removing the Image Magnify plugin until a fix is released. Avoid using the 'image_magnify' shortcode with untrusted input. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.