CVE-2024-10939: 
WordPress vulnerability analysis and mitigation

The Image Widget WordPress plugin versions before 4.4.11 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-10939. The vulnerability was discovered and publicly disclosed on November 22, 2024. This security issue affects the Image Widget settings functionality in WordPress installations, particularly impacting multisite setups (WPScan).

The vulnerability stems from improper sanitization and escaping of Image Widget settings. The issue allows high-privilege users, such as administrators, to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disabled. The vulnerability has been assigned a CVSS 3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows privileged users to store and execute malicious JavaScript code through the Image Widget settings. This is particularly concerning in multisite WordPress installations where even administrators are typically restricted from using unfiltered HTML (WPScan).

The vulnerability has been patched in version 4.4.11 of the Image Widget plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).