CVE-2024-11502 is a medium-severity Stored Cross-Site Scripting (XSS) vulnerability identified in the Planning Center Online Giving WordPress plugin, specifically in versions up to 1.0.0. The vulnerability arises because the plugin fails to properly validate and escape certain shortcode attributes before rendering them on pages or posts where the shortcode is embedded. This improper handling allows users with contributor-level permissions or higher to inject malicious scripts that are stored persistently and executed in the context of other users viewing the affected content. Since contributors can add or edit content but do not have full administrative privileges, this vulnerability expands the attack surface by enabling privilege escalation through script injection. The CVSS 3.1 base score of 5.4 reflects a medium severity, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), user interaction (UI:R), scope change (S:C), and limited impact on confidentiality and integrity (C:L/I:L) but no impact on availability (A:N). The scope change means the vulnerability affects components beyond the initially vulnerable plugin, potentially impacting the entire WordPress site. No known exploits are reported in the wild, and no patches have been linked yet. The vulnerability is categorized under CWE-79, which is a common and well-understood class of XSS vulnerabilities that can lead to session hijacking, defacement, or redirection to malicious sites if exploited.

For European organizations using the Planning Center Online Giving plugin on WordPress sites, this vulnerability poses a risk of unauthorized script execution that can compromise user sessions, steal sensitive information, or manipulate site content. Given that contributors can exploit this flaw, insider threats or compromised contributor accounts could lead to persistent malicious code injection. This can damage organizational reputation, lead to data breaches involving donor or user information, and potentially violate GDPR requirements related to data protection and breach notification. The impact is particularly significant for non-profits, religious organizations, and charities that rely on this plugin for online donations, as trust and data integrity are critical. Additionally, the scope change indicates that the vulnerability could affect other parts of the website, increasing the risk of broader compromise. Although no active exploits are known, the ease of exploitation (low complexity) and network accessibility mean attackers could weaponize this vulnerability if it remains unpatched.

European organizations should immediately audit their WordPress installations for the presence of the Planning Center Online Giving plugin and verify the version in use. Until an official patch is released, organizations should restrict contributor permissions to trusted users only and consider temporarily disabling the plugin or removing shortcodes that accept user input. Implementing Web Application Firewall (WAF) rules to detect and block suspicious script payloads in shortcode attributes can provide interim protection. Additionally, site administrators should enforce strict content security policies (CSP) to limit script execution sources and monitor logs for unusual activity indicative of XSS attempts. Regular backups and incident response plans should be updated to address potential exploitation. Organizations should subscribe to vendor and security mailing lists to promptly apply patches once available. Finally, educating contributors about safe content practices and the risks of injecting untrusted code can reduce accidental exploitation.