CVE-2024-11141: 
WordPress vulnerability analysis and mitigation

The Sailthru Triggermail WordPress plugin through version 1.1 contains a security vulnerability identified as CVE-2024-11141. The vulnerability was discovered and reported by Bob Matyas, and was publicly disclosed on November 12, 2024. This security issue affects the plugin's settings handling functionality, specifically impacting WordPress installations using the Sailthru Triggermail plugin (WPScan).

The vulnerability stems from improper input sanitization and escaping of plugin settings, combined with missing CSRF (Cross-Site Scripting) protection. This security weakness allows subscribers to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is explicitly disallowed, such as in multisite setups. The vulnerability has been assigned a CVSS score of 8.0 (high), indicating significant severity (WPScan).

When exploited, this vulnerability enables subscribers to execute Stored Cross-Site Scripting attacks on affected WordPress installations. This could potentially lead to unauthorized script execution in users' browsers, potentially compromising sensitive information or performing unauthorized actions on behalf of other users (WPScan).

Currently, there is no known fix available for this vulnerability in the Sailthru Triggermail WordPress plugin (WPScan).