CVE-2024-10340: 
WordPress vulnerability analysis and mitigation

The Shortcodes Blocks Creator Ultimate plugin for WordPress has been identified with a Stored Cross-Site Scripting vulnerability (CVE-2024-10340). The vulnerability affects versions up to and including 2.1.3, discovered by researcher István Márton and disclosed on November 4, 2024. The issue specifically involves the 'scu' shortcode functionality within the plugin (NVD CVE).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue, stemming from insufficient input sanitization and output escaping on user-supplied attributes in the 'scu' shortcode. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating network accessibility with low attack complexity and requiring low privileges (NVD CVE).

When exploited, this vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever any user accesses the compromised page, potentially affecting all visitors to the affected WordPress site (NVD CVE).

Website administrators running the Shortcodes Blocks Creator Ultimate plugin should ensure they are not using a version affected by this vulnerability (2.1.3 or earlier). Updates should be applied as soon as they become available to patch this security issue (NVD CVE).