CVE-2024-11887 identifies a stored cross-site scripting vulnerability in the Geo Content plugin for WordPress, specifically within the 'geotargetlygeocontent' shortcode functionality. This vulnerability stems from insufficient sanitization and escaping of user-supplied attributes, allowing malicious JavaScript code to be stored persistently in the website's content. Authenticated attackers with contributor-level permissions or higher can exploit this flaw by injecting arbitrary scripts into pages or posts. When other users access these pages, the malicious scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions on behalf of the victim. The vulnerability affects all versions of the plugin up to and including version 6.0. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and privileges required. The scope is changed, indicating the vulnerability can affect resources beyond the initially compromised component. No user interaction is needed for exploitation once the malicious content is injected. Although no public exploits are currently known, the risk remains significant due to the widespread use of WordPress and the plugin's role in content personalization based on geographic targeting.

The impact of this vulnerability is primarily on the confidentiality and integrity of users interacting with affected WordPress sites. Attackers can execute arbitrary scripts in the context of the victim's browser, potentially stealing session cookies, redirecting users to malicious sites, or performing actions with the victim's privileges. This can lead to account compromise, data leakage, defacement, or further malware distribution. For organizations, this can damage reputation, result in loss of customer trust, and cause compliance issues if sensitive data is exposed. Since the vulnerability requires contributor-level access, insider threats or compromised contributor accounts pose a significant risk. The scope change means that the impact can extend beyond the plugin itself, affecting the entire website and its users. Given WordPress's global popularity, many organizations, especially those relying on user-generated content and multiple contributors, are at risk.

To mitigate this vulnerability, organizations should immediately update the Geo Content plugin to a version that addresses this issue once available. Until a patch is released, restrict contributor-level access to trusted users only and audit existing contributor accounts for suspicious activity. Implement web application firewalls (WAFs) with rules to detect and block common XSS payloads targeting the 'geotargetlygeocontent' shortcode. Employ content security policies (CSP) to limit the execution of unauthorized scripts on affected sites. Regularly scan and sanitize existing content for injected scripts, especially in pages using the vulnerable shortcode. Educate content contributors about safe input practices and monitor logs for unusual behavior. Additionally, consider disabling or removing the Geo Content plugin if it is not essential to reduce the attack surface.