The Video Conferencing with Zoom plugin for WordPress contains a stored cross-site scripting vulnerability (CWE-79) identified as CVE-2024-2031. This vulnerability exists due to improper neutralization of input during web page generation, specifically in the 'zoom_recordings_by_meeting' shortcode. Authenticated users with contributor-level or higher permissions can inject arbitrary JavaScript code because the plugin does not sufficiently sanitize or escape user-supplied attributes. This malicious code executes in the context of other users viewing the injected pages, potentially leading to information disclosure or session hijacking. The vulnerability affects all plugin versions up to 4.4.4. The CVSS v3.1 base score is 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N), reflecting network attack vector, low attack complexity, and partial confidentiality and integrity impact. No patch or official vendor advisory is currently available, and no exploits are known in the wild.

An authenticated attacker with contributor-level or higher permissions can inject persistent malicious scripts into pages using the vulnerable shortcode. These scripts execute in the browsers of users who access the affected pages, potentially allowing theft of sensitive information or session tokens. The impact includes partial confidentiality and integrity loss but no availability impact. The vulnerability requires authentication and has low attack complexity.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict contributor-level permissions to trusted users only and consider disabling or removing the 'zoom_recordings_by_meeting' shortcode if possible to prevent exploitation. Monitor for updates from the plugin vendor and apply patches promptly once available.