CVE-2024-11938 is a stored cross-site scripting (XSS) vulnerability identified in the One Click Upsell Funnel for WooCommerce plugin for WordPress, specifically in versions up to and including 3.4.9. The vulnerability stems from improper neutralization of input during web page generation, classified under CWE-79. The plugin's shortcode wps_wocuf_pro_yes fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions on their behalf. The vulnerability requires no user interaction beyond visiting the infected page but does require the attacker to have at least contributor-level privileges, which is a moderate barrier. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial impact on confidentiality and integrity. No public exploits have been reported yet, but the risk remains significant due to the widespread use of WooCommerce and WordPress in e-commerce. The vulnerability highlights the importance of proper input validation and output encoding in WordPress plugins that handle user-generated content or attributes.

The exploitation of this stored XSS vulnerability can lead to several adverse impacts on affected organizations. Attackers with contributor-level access can inject malicious scripts that execute in the context of other users’ browsers, potentially leading to session hijacking, theft of sensitive information, unauthorized actions such as changing account details or making fraudulent purchases, and defacement of web content. This can erode customer trust, damage brand reputation, and lead to financial losses. For e-commerce sites using WooCommerce upsell funnels, such attacks could disrupt sales processes or enable fraudulent transactions. Additionally, the vulnerability could be leveraged as a foothold for further attacks within the network if administrative users are targeted. Since the vulnerability affects all versions up to 3.4.9, any site running these versions is at risk, especially those with multiple contributors or editors. The medium severity rating reflects the moderate difficulty of exploitation and the partial impact on confidentiality and integrity, but no direct impact on availability.

To mitigate this vulnerability, organizations should immediately restrict contributor-level access to trusted users only, minimizing the risk of malicious script injection. Site administrators should monitor pages using the wps_wocuf_pro_yes shortcode for any suspicious or unexpected content. Applying strict input validation and output encoding on all user-supplied attributes related to this shortcode is critical; developers should update the plugin code to sanitize inputs using WordPress’s built-in functions such as esc_attr() and esc_html() before output. Until an official patch is released, consider disabling or removing the vulnerable shortcode from active pages. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Regularly audit user roles and permissions to ensure least privilege principles are enforced. Finally, keep the plugin updated and subscribe to vendor advisories to apply patches promptly once available.