CVE-2024-11140: 
WordPress vulnerability analysis and mitigation

The Real WP Shop Lite Ajax eCommerce Shopping Cart WordPress plugin through version 2.0.8 contains a stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-11140. The vulnerability was discovered by Bob Matyas and publicly disclosed on November 12, 2024. This security issue affects the plugin's settings functionality, specifically impacting high-privilege users such as administrators (WPScan, Wiz).

The vulnerability stems from improper sanitization and escaping of certain plugin settings, particularly in the category management functionality. The security flaw persists even when the unfiltered_html capability is disallowed, which is especially relevant in multisite WordPress setups. The vulnerability has been classified as XSS (CWE-79) with a CVSS score of 3.5, indicating low severity (WPScan).

When exploited, the vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks. Attackers could potentially inject malicious JavaScript code that would be stored in the database and executed when other users view the affected pages (Wiz).

Currently, there is no known fix available for this vulnerability in the Real WP Shop Lite Ajax eCommerce Shopping Cart plugin (WPScan).