CVE-2024-11895

Summary

CVE-2024-11895 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Online Payments plugin for WordPress. Versions up to 3.20.0 are vulnerable to this issue. Attackers with contributor-level access or higher can exploit the flaw by injecting malicious scripts into the plugin's shortcodes, which then execute whenever a user accesses the manipulated pages. This vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes, enabling attackers to inject arbitrary web scripts and potentially steal sensitive information or gain unauthorized access.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.