CVE-2024-11904 is a stored cross-site scripting vulnerability classified under CWE-79, found in the 코드엠샵 소셜톡 plugin for WordPress. The vulnerability exists in the 'msntt_add_plus_talk' shortcode due to improper neutralization of user-supplied input. Specifically, the plugin fails to adequately sanitize and escape attributes provided by authenticated users with contributor-level permissions or higher. This flaw enables these users to inject arbitrary JavaScript code into pages, which is then stored persistently and executed in the browsers of any users who visit the affected pages. The attack vector requires authenticated access but no additional user interaction, making it a significant risk within environments where contributor-level access is granted. The vulnerability affects all versions up to and including 1.2.0 of the plugin. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change. While no known exploits have been reported in the wild, the vulnerability's nature allows for potential session hijacking, credential theft, or unauthorized actions performed under the victim's context. The plugin is developed by codemstory and is used primarily in WordPress environments, which are widely deployed globally. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for mitigation strategies.

The impact of CVE-2024-11904 is significant for organizations running WordPress sites with the vulnerable 코드엠샵 소셜톡 plugin. An attacker with contributor-level access can inject malicious scripts that execute in the browsers of site visitors, potentially leading to session hijacking, theft of sensitive information, defacement, or distribution of malware. This compromises the confidentiality and integrity of user data and can damage organizational reputation. Since the vulnerability is stored XSS, the malicious payload persists and affects all users accessing the compromised content. The requirement for authenticated access limits exposure but does not eliminate risk, especially in environments with multiple contributors or less strict access controls. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially compromised component, potentially impacting the entire website or user base. Organizations relying on this plugin may face increased risk of targeted attacks, especially if attackers gain contributor credentials through phishing or other means. The absence of known exploits in the wild currently reduces immediate risk but does not preclude future exploitation.

To mitigate CVE-2024-11904, organizations should first verify whether they use the 코드엠샵 소셜톡 plugin and identify the version in use. If an updated patched version is released, immediate upgrading to that version is recommended. In the absence of a patch, administrators should restrict contributor-level access to trusted users only and review user permissions to minimize the number of accounts with such privileges. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious script injections in shortcode parameters can provide temporary protection. Additionally, site administrators should audit existing content for injected scripts and remove any malicious code. Employing Content Security Policy (CSP) headers can help reduce the impact of XSS by restricting script execution sources. Regular monitoring of logs and user activity can help detect attempts to exploit this vulnerability. Finally, educating contributors about secure input practices and the risks of injecting untrusted content can reduce the likelihood of exploitation.