CVE-2024-11900 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the WordPress plugin 'Portfolio – Filterable Masonry Portfolio Gallery for Professionals' developed by logichunt. This vulnerability affects all plugin versions up to and including 1.2.2. The root cause is insufficient sanitization and output escaping of user-supplied attributes within the plugin's 'portfolio-pro' shortcode. Authenticated attackers with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into the shortcode parameters. Because the malicious script is stored, it executes every time a user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of the victim. The vulnerability requires no user interaction beyond visiting the compromised page and does not require elevated privileges beyond contributor access, which is commonly granted to users who can submit content but not publish it directly. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial confidentiality and integrity impact. No known public exploits have been reported yet. The vulnerability highlights the importance of proper input validation and output encoding in WordPress plugins, especially those that accept user input for dynamic content generation.

The impact of CVE-2024-11900 is significant for organizations using the affected WordPress plugin. Exploitation allows attackers with contributor-level access to inject persistent malicious scripts into website pages, which execute in the browsers of any visitors to those pages. This can lead to session hijacking, theft of sensitive user data, defacement, or redirection to malicious sites. Since contributor-level access is often granted to content creators or external collaborators, the attack surface is broader than administrator-only vulnerabilities. The compromise of user sessions or credentials could facilitate further attacks, including privilege escalation or data breaches. For organizations relying on this plugin for portfolio presentation, the vulnerability undermines website integrity and user trust. Although no active exploitation is currently known, the medium severity score and ease of exploitation warrant prompt remediation to prevent potential damage, especially for high-traffic or customer-facing sites.

To mitigate CVE-2024-11900, organizations should: 1) Immediately update the 'Portfolio – Filterable Masonry Portfolio Gallery for Professionals' plugin to a patched version once available. If no patch is released yet, consider temporarily disabling the plugin or removing the 'portfolio-pro' shortcode usage. 2) Restrict contributor-level permissions to trusted users only, minimizing the risk of malicious shortcode injection. 3) Implement Web Application Firewall (WAF) rules to detect and block suspicious shortcode attribute patterns or script tags in user inputs. 4) Conduct regular security audits of user-generated content, especially shortcodes, to identify and remove injected scripts. 5) Employ Content Security Policy (CSP) headers to restrict script execution sources, reducing the impact of injected scripts. 6) Educate content contributors about safe content submission practices and the risks of injecting untrusted code. 7) Monitor website logs and user activity for anomalies indicative of exploitation attempts. These steps combined will reduce the likelihood and impact of exploitation until an official patch is applied.