CVE-2024-11873 is a stored cross-site scripting vulnerability identified in the glomex oEmbed plugin for WordPress, which is widely used to embed video content. The flaw exists in all versions up to and including 0.9.1 due to insufficient sanitization and escaping of user-supplied attributes within the 'glomex_integration' shortcode. This improper neutralization of input (CWE-79) allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript code into pages or posts. Because the malicious script is stored persistently, it executes in the context of any user who views the infected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users without their consent. The vulnerability requires no user interaction but does require authenticated access, which limits exploitation to users with some level of trust within the WordPress environment. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and privileges required. No patches or official fixes were linked at the time of publication, and no known exploits have been reported in the wild. This vulnerability highlights the importance of proper input validation and output encoding in WordPress plugins, especially those that accept user input for dynamic content generation.

The impact of CVE-2024-11873 can be significant for organizations running WordPress sites with the glomex oEmbed plugin installed. Successful exploitation allows attackers with contributor-level access to inject persistent malicious scripts that execute in the browsers of site visitors and administrators. This can lead to session hijacking, theft of sensitive information such as authentication cookies, unauthorized actions performed on behalf of users, defacement of website content, and potential spread of malware. Since the vulnerability requires authenticated access, the risk is higher in environments where contributor or higher roles are assigned to untrusted or compromised users. For high-traffic websites or those handling sensitive data, the consequences can include reputational damage, data breaches, and loss of user trust. Additionally, the scope of affected systems is broad as all versions of the plugin up to 0.9.1 are vulnerable, and WordPress remains a dominant CMS worldwide, increasing the potential attack surface.

To mitigate CVE-2024-11873, organizations should immediately update the glomex oEmbed plugin to a version that addresses this vulnerability once available. In the absence of an official patch, administrators should consider disabling or removing the plugin to eliminate the attack vector. Restrict contributor-level and higher privileges to trusted users only and review user roles to minimize the risk of insider threats. Implement Web Application Firewall (WAF) rules to detect and block suspicious script injection attempts targeting the 'glomex_integration' shortcode. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. Regularly audit WordPress plugins for security updates and conduct penetration testing focusing on user input handling. Educate site administrators and contributors about the risks of XSS and the importance of secure content management practices.