CVE-2024-11854: 
WordPress vulnerability analysis and mitigation

The Listdom – Business Directory and Classified Ads Listings WordPress Plugin is vulnerable to Stored Cross-Site Scripting (XSS) via the 'shortcode' parameter in versions up to and including 3.7.0. This vulnerability was disclosed on December 4, 2024, and has been assigned CVE-2024-11854. The issue affects WordPress installations using the Listdom plugin (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's handling of the 'shortcode' parameter. This security flaw has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD, Wordfence).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to data theft, session hijacking, or other malicious actions (NVD).

Users are advised to update their Listdom plugin to a version newer than 3.7.0. The vulnerability has been patched in subsequent releases (WordPress Plugin).