CVE-2024-11806 identifies a reflected Cross-Site Scripting (XSS) vulnerability in the PKT1 Centro de envios plugin for WordPress, affecting all versions up to and including 1.2.1. The vulnerability stems from insufficient sanitization and escaping of the 'success' and 'error' parameters in HTTP requests, which are reflected in web pages generated by the plugin. An attacker can craft malicious URLs containing JavaScript payloads in these parameters. When a user clicks such a link, the injected script executes in the context of the victim's browser, potentially allowing theft of cookies, session tokens, or performing unauthorized actions on behalf of the user. The vulnerability requires no authentication but does require user interaction (clicking a malicious link). The CVSS 3.1 base score is 6.1, indicating medium severity, with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, meaning it is remotely exploitable with low attack complexity, no privileges required, user interaction needed, and impacts confidentiality and integrity with a scope change. No patches or fixes are currently linked, and no known exploits have been reported in the wild. This vulnerability is categorized under CWE-79, a common web application security weakness related to improper neutralization of input during web page generation. The plugin is used in WordPress environments, which are widely deployed globally, especially in small to medium businesses and e-commerce sites. Attackers could leverage this vulnerability in phishing campaigns or targeted attacks to compromise user sessions or deface sites.

The primary impact of this vulnerability is on the confidentiality and integrity of user data and sessions. Successful exploitation can lead to session hijacking, credential theft, or unauthorized actions performed with the victim's privileges. While availability is not directly affected, the trustworthiness of affected websites can be undermined, potentially damaging organizational reputation and customer confidence. Organizations relying on the PKT1 Centro de envios plugin may face targeted phishing attacks leveraging this flaw to compromise users. The vulnerability's ease of exploitation (no authentication needed, low complexity) increases risk, especially for sites with high user interaction. The scope change in the CVSS vector indicates that exploitation can affect resources beyond the vulnerable component, potentially impacting the entire web application session. Although no active exploits are reported, the presence of this vulnerability in a widely used CMS plugin poses a latent risk that could be weaponized by attackers. This is particularly concerning for organizations handling sensitive customer information or financial transactions through their WordPress sites.

To mitigate this vulnerability, organizations should first check for updates or patches from the plugin vendor and apply them promptly once available. In the absence of an official patch, site administrators can implement strict input validation and output encoding on the 'success' and 'error' parameters to neutralize malicious scripts. Employing a Web Application Firewall (WAF) with rules to detect and block reflected XSS payloads targeting these parameters can provide interim protection. Additionally, enabling Content Security Policy (CSP) headers can help restrict the execution of unauthorized scripts. Educating users to avoid clicking suspicious or unsolicited links reduces the risk of exploitation. Regular security audits and scanning for XSS vulnerabilities in WordPress plugins are recommended. Finally, consider limiting the use of this plugin or replacing it with alternatives that follow secure coding practices if timely patches are unavailable.