CVE-2024-11763

Name of the Vulnerable Software and Affected Versions Plezi plugin for WordPress versions up to, and including, 1.0.6

Description The Plezi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'plezi' shortcode due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Recommendations Update to the latest version of the Plezi plugin for WordPress to mitigate the risk of Stored Cross-Site Scripting. As a temporary workaround, consider restricting access to the 'plezi' shortcode for users with contributor-level access and above until the update is applied. Restrict the use of user-supplied attributes in the 'plezi' shortcode to minimize the risk of exploitation.