CVE-2024-11876 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Kredeum NFTs WordPress plugin, which facilitates direct NFT sales on WordPress sites. The vulnerability exists due to improper neutralization of input during web page generation, specifically within the 'kredeum_opensky' shortcode. The plugin fails to sufficiently sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code. This malicious code is stored persistently and executed in the context of any user who accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability is exploitable remotely over the network without user interaction but requires authenticated access, which limits the attack surface to users with at least contributor privileges. The CVSS 3.1 score of 6.4 reflects a medium severity, indicating moderate impact on confidentiality and integrity but no impact on availability. No public exploits have been reported yet, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors or less stringent access controls. The issue underscores the importance of proper input validation and output encoding in plugin development to prevent injection attacks.

The vulnerability allows attackers with contributor-level access to inject persistent malicious scripts into WordPress pages, which execute in the browsers of any users visiting those pages. This can lead to session hijacking, theft of sensitive information such as authentication tokens, unauthorized actions performed on behalf of users, and potential defacement or redirection to malicious sites. For organizations, this can result in compromised user accounts, loss of customer trust, reputational damage, and potential regulatory consequences if user data is exposed. Since the plugin is related to NFT sales, attackers could also manipulate NFT transactions or listings, causing financial loss or fraud. The requirement for authenticated access reduces the risk from external anonymous attackers but elevates the threat from insider attackers or compromised contributor accounts. The vulnerability affects the integrity and confidentiality of affected sites but does not impact availability directly. Organizations relying on this plugin for NFT sales on WordPress sites are at risk, especially if they have multiple contributors or weak access controls.

1. Immediately update the Kredeum NFTs plugin to a patched version once available from the vendor. Monitor the vendor’s announcements for security updates. 2. If a patch is not yet available, restrict contributor-level and higher access to trusted users only, minimizing the risk of malicious input injection. 3. Implement a Web Application Firewall (WAF) with custom rules to detect and block suspicious script injections targeting the 'kredeum_opensky' shortcode parameters. 4. Conduct a thorough audit of existing content generated by the plugin to identify and remove any injected malicious scripts. 5. Harden WordPress security by enforcing strong authentication, limiting plugin installation permissions, and monitoring user activities for anomalous behavior. 6. Educate contributors about safe input practices and the risks of injecting untrusted content. 7. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected pages. 8. Regularly back up WordPress sites to enable quick restoration in case of compromise. These steps go beyond generic advice by focusing on access control, proactive detection, and content auditing specific to this plugin’s vulnerability.