CVE-2024-10342: 
WordPress vulnerability analysis and mitigation

The League of Legends Shortcodes plugin for WordPress (versions up to and including 1.0.1) contains a Stored Cross-Site Scripting vulnerability (CVE-2024-10342) that was disclosed on October 25, 2024. The vulnerability affects the plugin's shortcode functionality and stems from insufficient input sanitization and output escaping on user-supplied attributes (NVD).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 5.4 (Medium) using the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability requires an authenticated user with contributor-level permissions or higher to exploit. The core issue lies in the improper handling of user-supplied attributes in shortcodes (NVD, Wordfence).

When successfully exploited, this vulnerability allows attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses the compromised page. The impact is rated as Medium severity, with potential for both confidentiality and integrity breaches (NVD).

Users should update the League of Legends Shortcodes plugin to a version newer than 1.0.1 if available. If updates are not available, consider removing or disabling the plugin until a patch is released (NVD).