CVE-2024-11929 is a vulnerability identified in the Responsive FlipBook Plugin for WordPress, maintained by mpc, affecting all versions up to and including 2.5.0. The root cause is a missing authorization control (CWE-862) combined with insufficient input sanitization and output escaping in the rfbwp_save_settings() function. This flaw allows authenticated users with minimal privileges (Subscriber-level or above) to inject arbitrary JavaScript code that is stored persistently within the plugin's settings. When any user, including administrators or visitors, accesses the affected pages, the injected scripts execute in their browsers. This stored cross-site scripting (XSS) can be leveraged for session hijacking, privilege escalation, or delivering further malicious payloads. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting its medium severity, with an attack vector over the network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No official patches or exploit code are currently available, but the vulnerability's presence in a widely used WordPress plugin makes it a notable risk. The flaw highlights the importance of proper authorization checks and rigorous input validation in plugin development.

The primary impact of CVE-2024-11929 is the potential for attackers with low-level authenticated access to inject malicious scripts into WordPress sites using the Responsive FlipBook Plugin. This can lead to session hijacking, theft of sensitive user data, unauthorized actions performed on behalf of users, and reputational damage. Since the injected scripts execute in the context of the victim's browser, attackers can bypass same-origin policies and potentially spread malware or conduct phishing attacks. The vulnerability affects the confidentiality and integrity of site data and user sessions but does not directly impact availability. Organizations running WordPress sites with this plugin are at risk of compromise, especially if they allow low-privilege user registrations or have multiple users with Subscriber or higher roles. The scope of affected systems is broad given WordPress's popularity, and exploitation could facilitate further attacks within compromised environments.

To mitigate CVE-2024-11929, organizations should first verify if they use the Responsive FlipBook Plugin and identify the version in use. Since no official patch is currently available, immediate mitigation steps include restricting user roles to minimize the number of users with Subscriber or higher privileges, especially on publicly accessible sites. Implementing web application firewall (WAF) rules to detect and block suspicious script injection attempts targeting the plugin's settings endpoint can reduce risk. Administrators should audit and sanitize existing plugin settings to remove any injected scripts. Monitoring logs for unusual activity related to plugin settings changes is recommended. Additionally, disabling or uninstalling the plugin until a patch is released can eliminate exposure. Developers and site owners should follow best practices by applying principle of least privilege, validating and escaping all user inputs, and enforcing strict authorization checks in plugin code. Staying updated with vendor advisories and applying patches promptly upon release is critical.