CVE-2024-11875 is a stored cross-site scripting vulnerability classified under CWE-79, found in the WordPress plugin 'Add infos to The Events Calendar' developed by hage. This vulnerability affects all versions up to and including 1.4.1. The root cause is insufficient sanitization and escaping of user-supplied attributes within the plugin's 'fuss' shortcode, which is used to add information to event calendar pages. Authenticated attackers with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into the shortcode attributes. Because the injected scripts are stored persistently, they execute in the context of any user who views the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of the victim. The vulnerability requires no user interaction beyond viewing the injected page and has a CVSS v3.1 base score of 6.4, reflecting medium severity with network attack vector, low complexity, and privileges required. No public exploits have been reported yet, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those allowing contributor-level users to add or edit content. The scope is limited to sites running the vulnerable plugin versions, but the impact can be broad due to the widespread use of WordPress and event calendar plugins. The vulnerability highlights the importance of proper input validation and output encoding in web applications to prevent XSS attacks.

The impact of CVE-2024-11875 can be significant for organizations using the affected WordPress plugin. Successful exploitation allows attackers with contributor-level access to inject persistent malicious scripts, which execute in the browsers of any users visiting the compromised pages. This can lead to session hijacking, theft of sensitive information such as authentication cookies, unauthorized actions performed on behalf of users, defacement of website content, and potential spread of malware. Since contributor-level users are often trusted content creators, the attack surface includes internal users or compromised accounts, increasing the risk of insider threats or account takeover scenarios. The vulnerability undermines the confidentiality and integrity of user data and site content, though it does not directly affect availability. Organizations relying on the plugin for event management may suffer reputational damage and loss of user trust if exploited. The medium CVSS score reflects a moderate but actionable risk, especially for sites with multiple contributors or high traffic. Without mitigation, attackers could leverage this flaw to escalate privileges or pivot to further attacks within the WordPress environment.

To mitigate CVE-2024-11875, organizations should take several specific actions beyond generic advice: 1) Immediately restrict contributor-level permissions to trusted users only, minimizing the risk of malicious content injection. 2) Monitor and audit all content submissions involving the 'fuss' shortcode for suspicious or unexpected script tags or attributes. 3) Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting the shortcode parameters. 4) Until an official patch is released, consider disabling or removing the 'Add infos to The Events Calendar' plugin if feasible, or replace it with alternative event calendar plugins that follow secure coding practices. 5) Educate content contributors about safe content practices and the risks of embedding scripts. 6) Use security plugins that provide enhanced input sanitization and output escaping for shortcodes and user-generated content. 7) Regularly update WordPress core, themes, and plugins to incorporate security fixes promptly. 8) Conduct penetration testing focused on shortcode inputs to identify any residual injection points. These targeted measures will reduce the attack surface and prevent exploitation while awaiting an official patch.