CVE-2024-11451 is a stored cross-site scripting vulnerability identified in the Zooom plugin for WordPress, affecting all versions up to and including 1.1.0. The root cause is insufficient input sanitization and output escaping on user-supplied attributes within the plugin's 'zooom' shortcode. This flaw allows authenticated attackers with contributor-level permissions or higher to inject arbitrary JavaScript code into pages generated by the plugin. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed on behalf of the victim. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and a scope change due to the impact on other users. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk to websites using this plugin, especially those with multiple contributors and visitors. The lack of patch links suggests that a fix may not yet be publicly available, emphasizing the need for immediate mitigation steps.

The primary impact of CVE-2024-11451 is the compromise of confidentiality and integrity of user sessions and data on affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially leading to session hijacking, theft of sensitive information such as cookies or credentials, defacement of website content, or redirection to malicious sites. This can damage the reputation of the affected organization, lead to data breaches, and facilitate further attacks such as privilege escalation or malware distribution. The vulnerability affects any organization using the Zooom plugin, particularly those with multiple authenticated users and high visitor traffic. Since the attack requires authentication but no user interaction, insider threats or compromised contributor accounts can be leveraged to exploit this vulnerability. The scope of impact extends beyond the initial attacker, affecting all users who view the injected content, thereby amplifying the risk.

Organizations should immediately audit their WordPress installations to identify the presence of the Zooom plugin and verify its version. Until an official patch is released, administrators should consider disabling or uninstalling the plugin to eliminate the attack surface. If removal is not feasible, restrict contributor-level access and above to trusted users only, and implement strict user account management policies including multi-factor authentication and regular access reviews. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious shortcode attribute inputs or script injection patterns. Additionally, monitor site content for unauthorized script injections and conduct regular security scans. Developers and site administrators should sanitize and escape all user inputs rigorously, especially in shortcode implementations. Stay alert for official patches or updates from the plugin vendor and apply them promptly once available. Finally, educate contributors about the risks of injecting untrusted content and enforce content submission guidelines.