CVE-2024-11867 is a stored cross-site scripting vulnerability identified in the Companion Portfolio – Responsive Portfolio Plugin for WordPress, versions up to and including 2.4.0.1. The vulnerability stems from improper neutralization of input during web page generation, specifically within the 'companion-portfolio' shortcode. The plugin fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code. This malicious code is stored persistently and executed in the context of any user who views the affected page, potentially leading to session hijacking, defacement, or unauthorized actions performed on behalf of victims. The vulnerability requires authentication but no user interaction, and can be exploited remotely over the network. The CVSS 3.1 base score of 6.4 indicates a medium severity with partial impact on confidentiality and integrity but no impact on availability. No public exploits have been reported yet, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those allowing contributor-level access to untrusted users. The flaw is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common and dangerous web application security issue. The vulnerability was published on December 14, 2024, and remains unpatched as no patch links are provided.

The primary impact of this vulnerability is the potential for stored cross-site scripting attacks, which can compromise the confidentiality and integrity of user sessions and data. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors, potentially leading to session hijacking, theft of sensitive information, unauthorized actions, or defacement of website content. This can damage organizational reputation, lead to data breaches, and facilitate further attacks such as privilege escalation or malware distribution. Since the vulnerability does not affect availability, denial of service is unlikely. However, the scope is significant because many WordPress sites use this plugin, and contributor-level access is commonly granted to multiple users, including external collaborators. Organizations with active content contributors or multi-user environments are at higher risk. The lack of known exploits in the wild reduces immediate threat but does not eliminate risk, as attackers may develop exploits given the public disclosure. The vulnerability also poses compliance risks for organizations subject to data protection regulations due to potential data exposure.

Organizations should immediately assess their use of the Companion Portfolio – Responsive Portfolio Plugin and upgrade to a patched version once available. In the absence of an official patch, administrators should restrict contributor-level access to trusted users only and review user permissions to minimize exposure. Implementing web application firewalls (WAFs) with rules to detect and block XSS payloads targeting the 'companion-portfolio' shortcode can provide temporary protection. Additionally, site administrators can apply manual input validation and output encoding on user-supplied attributes if customization is possible. Regularly monitoring logs for suspicious activity related to shortcode usage and user input can help detect exploitation attempts. Educating contributors about the risks of injecting untrusted content and enforcing strict content submission policies will reduce the likelihood of exploitation. Finally, maintaining up-to-date backups and incident response plans will aid in recovery if an attack occurs.