CVE-2024-11930 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Taskbuilder – WordPress Project & Task Management plugin for WordPress, affecting all versions up to and including 3.0.6. The vulnerability stems from improper neutralization of input during web page generation, specifically within the plugin's wppm_tasks shortcode. The root cause is insufficient sanitization and escaping of user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code. This malicious code is stored persistently and executed whenever any user accesses the compromised page, potentially enabling session hijacking, privilege escalation, or unauthorized actions within the context of the victim's browser session. The vulnerability does not require user interaction beyond visiting the injected page and has a CVSS 3.1 base score of 6.4, indicating medium severity. The attack vector is network-based with low complexity but requires privileges (authenticated contributor or above). The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges by impacting other users. No patches or known exploits are currently documented, but the risk remains significant due to the widespread use of WordPress and the plugin’s role in project and task management environments.

The impact of CVE-2024-11930 can be significant for organizations using the Taskbuilder plugin on WordPress sites. Successful exploitation allows authenticated contributors or higher to inject persistent malicious scripts that execute in the browsers of other users, potentially leading to session hijacking, theft of sensitive information, unauthorized actions, or defacement. This compromises the confidentiality and integrity of user data and site content. Although availability is not directly affected, the trustworthiness of the affected web application is undermined. Organizations relying on this plugin for project and task management may face operational disruptions, reputational damage, and increased risk of further exploitation if attackers leverage the XSS to escalate privileges or deploy additional payloads. The requirement for contributor-level access limits exposure somewhat but does not eliminate risk, especially in environments with many authenticated users or weak access controls.

To mitigate CVE-2024-11930, organizations should first check for and apply any official patches or updates from the Taskbuilder plugin vendor once available. In the absence of patches, administrators should restrict contributor-level access to trusted users only and review user roles and permissions to minimize exposure. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the wppm_tasks shortcode can provide interim protection. Additionally, site administrators can apply custom input validation and output encoding on user-supplied attributes within the shortcode to prevent script injection. Regular security audits and monitoring for unusual activity or injected scripts on pages using the shortcode are recommended. Educating users about the risks of XSS and encouraging the use of security headers such as Content Security Policy (CSP) can further reduce the impact of potential exploitation.