CVE-2024-11866 is a stored cross-site scripting vulnerability identified in the BMLT Tabbed Map plugin for WordPress, affecting all versions up to and including 1.1.8. The root cause is insufficient sanitization and escaping of user-supplied attributes passed through the 'bmlt_tabbed_map' shortcode. Authenticated users with contributor-level privileges or higher can inject arbitrary JavaScript code into pages generated by the plugin. This malicious code is stored persistently and executed in the browsers of any users who visit the compromised pages, enabling session hijacking, credential theft, or other malicious actions. The vulnerability leverages CWE-79, which pertains to improper neutralization of input during web page generation. Exploitation requires no user interaction beyond visiting the infected page, and the attack scope is limited to sites using the vulnerable plugin. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, requiring privileges but no user interaction, with a scope change and low impact on confidentiality and integrity, and no impact on availability. No patches or public exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly.

The primary impact of this vulnerability is the potential for attackers with contributor-level access to inject persistent malicious scripts into WordPress sites using the BMLT Tabbed Map plugin. This can lead to session hijacking, defacement, unauthorized actions performed on behalf of users, and theft of sensitive data such as cookies or credentials. Since the injected scripts execute in the context of any user visiting the infected page, the attack surface includes all site visitors, including administrators. This can undermine user trust, damage organizational reputation, and potentially lead to further compromise of the website or connected systems. The vulnerability does not directly affect availability but compromises confidentiality and integrity. Organizations relying on this plugin for critical web functionality may face increased risk of targeted attacks or automated exploitation once public exploits emerge.

To mitigate CVE-2024-11866, organizations should first check for updates or patches from the plugin vendor and apply them immediately once available. In the absence of an official patch, administrators should restrict contributor-level access to trusted users only and audit existing content for injected scripts. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious shortcode attribute payloads can provide interim protection. Additionally, site owners should enforce Content Security Policy (CSP) headers to limit script execution sources and reduce the impact of injected scripts. Regularly scanning the website for XSS payloads and monitoring logs for unusual activity is recommended. Developers maintaining the plugin should update input validation and output encoding routines to properly sanitize all user-supplied shortcode attributes. Finally, educating users about the risks of elevated privileges and enforcing the principle of least privilege will reduce exploitation likelihood.