CVE-2024-11891 is a stored cross-site scripting vulnerability identified in the Perfect Font Awesome Integration plugin for WordPress, affecting all versions up to and including 2.3. The root cause is insufficient sanitization and escaping of user-supplied input within the plugin's 'pfai' shortcode attributes. This flaw allows authenticated users with contributor-level or higher privileges to inject arbitrary JavaScript code into pages or posts. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or defacement. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS 3.1 base score is 6.4, reflecting a medium severity with an attack vector over the network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with no effect on availability. No patches or known exploits are currently reported, but the vulnerability's presence in a widely used WordPress plugin makes it a significant risk. The scope is limited to sites using this plugin and having users with contributor or higher roles, but the impact on affected sites can be substantial if exploited.

The primary impact of this vulnerability is the compromise of confidentiality and integrity on WordPress sites using the Perfect Font Awesome Integration plugin. Attackers with contributor-level access can inject malicious scripts that execute in the context of other users' browsers, potentially stealing session cookies, performing actions on behalf of other users, or defacing site content. This can lead to unauthorized access, data leakage, and reputational damage. Since the vulnerability requires authenticated access, the risk is somewhat mitigated by the need for contributor-level privileges, but many WordPress sites allow such roles for multiple users or external contributors. The vulnerability does not affect availability directly but can indirectly cause service disruption through defacement or administrative lockout. Organizations relying on this plugin, especially those with multiple contributors or public-facing content, face increased risk of targeted attacks or insider threats exploiting this flaw.

To mitigate CVE-2024-11891, organizations should: 1) Immediately update the Perfect Font Awesome Integration plugin to a patched version once available; if no patch exists, consider disabling or removing the plugin temporarily. 2) Restrict contributor-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. 3) Implement a Web Application Firewall (WAF) with rules to detect and block suspicious shortcode attribute inputs or script tags. 4) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 5) Regularly audit user-generated content and shortcode usage for suspicious or unexpected scripts. 6) Educate site administrators and contributors about the risks of injecting untrusted content and encourage safe content practices. 7) Monitor logs and user activity for signs of exploitation attempts. These steps go beyond generic advice by focusing on privilege management, proactive detection, and layered defenses specific to WordPress shortcode injection scenarios.