CVE-2024-11945 is a stored cross-site scripting vulnerability identified in the Email Reminders plugin for WordPress developed by wpdevelop. This vulnerability affects all versions up to and including 2.0.4. The root cause is insufficient sanitization and escaping of the ‘id’ parameter during web page generation, which allows an authenticated attacker with Contributor-level access or higher to inject arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes every time a user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of the victim. The vulnerability does not require user interaction beyond visiting the affected page and does not require administrative privileges, only Contributor-level access, which is commonly granted to trusted users who can submit content. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial confidentiality and integrity impacts. No public exploits have been reported yet, but the vulnerability poses a significant risk due to the widespread use of WordPress and the plugin’s user base. The vulnerability highlights the importance of proper input validation and output encoding in web applications, especially in plugins that handle user-generated content.

The impact of CVE-2024-11945 is primarily on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the victim’s browser, potentially leading to session hijacking, theft of sensitive information, unauthorized actions performed with the victim’s privileges, and further compromise of the website or its users. Since the vulnerability requires only Contributor-level access, attackers can leverage compromised or malicious user accounts to escalate their impact. This can undermine trust in the website, lead to data breaches, and facilitate further attacks such as phishing or malware distribution. The vulnerability does not directly affect availability but can indirectly cause denial of service through exploitation or cleanup efforts. Organizations relying on the Email Reminders plugin for critical communications may face operational disruptions and reputational damage if exploited. The global scale of WordPress usage means that a wide range of sectors, including e-commerce, media, education, and government, could be affected.

To mitigate CVE-2024-11945, organizations should immediately update the Email Reminders plugin to a patched version once available. Until a patch is released, restrict Contributor-level access to trusted users only and review existing user roles to minimize exposure. Implement web application firewalls (WAFs) with rules to detect and block suspicious input patterns targeting the ‘id’ parameter. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Conduct regular security audits and scanning of WordPress plugins for known vulnerabilities. Encourage developers and site administrators to apply secure coding practices, including rigorous input validation and output encoding, especially for user-supplied data. Monitor logs for unusual activity related to the plugin and user accounts with Contributor privileges. Consider disabling or replacing the Email Reminders plugin if it is not essential or if no timely patch is available. Finally, educate users about the risks of XSS and the importance of maintaining least privilege principles for user roles.