CVE-2024-11750 is a stored cross-site scripting vulnerability identified in the ONLYOFFICE DocSpace plugin for WordPress, affecting all versions up to and including 2.1.1. The vulnerability stems from improper neutralization of input during web page generation, specifically within the 'onlyoffice-docspace' shortcode. The plugin fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code. This malicious code is stored persistently and executed whenever any user accesses the affected page, enabling attackers to perform actions such as session hijacking, defacement, or unauthorized actions within the victim's browser context. The vulnerability requires authentication but no additional user interaction beyond page access. The CVSS v3.1 base score is 6.4, reflecting a medium severity due to the network attack vector, low attack complexity, and privileges required. The scope is changed (S:C) because the vulnerability can affect other users beyond the attacker. No public exploits have been reported to date, but the vulnerability poses a significant risk in multi-user WordPress environments where ONLYOFFICE DocSpace is deployed. The lack of patch links suggests that a fix may not yet be publicly available, emphasizing the need for interim mitigations.

The primary impact of CVE-2024-11750 is the compromise of confidentiality and integrity within affected WordPress sites using ONLYOFFICE DocSpace. Attackers with contributor-level access can inject persistent malicious scripts, which execute in the browsers of any users visiting the infected pages. This can lead to session token theft, unauthorized actions performed on behalf of users, defacement of content, or distribution of malware. The vulnerability does not directly affect availability but can indirectly cause service disruption through defacement or loss of user trust. Organizations with multiple contributors or editors are at higher risk, as the attack requires authenticated access. The medium CVSS score indicates a moderate risk, but the potential for lateral movement or privilege escalation via stolen credentials can amplify the impact. This threat is particularly relevant for organizations relying on ONLYOFFICE DocSpace for document collaboration within WordPress, including educational institutions, enterprises, and content-heavy websites.

To mitigate CVE-2024-11750, organizations should first check for and apply any available patches or updates from ONLYOFFICE or the plugin maintainers as soon as they are released. In the absence of an official patch, administrators should restrict contributor-level access to trusted users only, minimizing the risk of malicious script injection. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious script injections in shortcode attributes can provide interim protection. Additionally, enabling Content Security Policy (CSP) headers can help limit the execution of unauthorized scripts. Regularly auditing user-generated content and shortcode usage for suspicious code is advised. Disabling or removing the ONLYOFFICE DocSpace plugin temporarily may be necessary if the risk is deemed unacceptable. Finally, educating contributors about secure content practices and monitoring logs for unusual activity can help detect exploitation attempts early.