CVE-2024-11183: 
WordPress vulnerability analysis and mitigation

The Simple Side Tab WordPress plugin before version 2.2.0 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and disclosed on November 16, 2024, affecting the plugin's settings functionality. The issue stems from inadequate sanitization and escaping of certain plugin settings, particularly impacting high-privilege users such as administrators (WPScan, NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue. The specific vulnerability exists in the rum_sst_plugin_options[pixels_from_top] parameter, which lacks proper input sanitization. The CVSS v3.1 score is 4.8 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (WPScan).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is disallowed, such as in multisite setups. This could potentially lead to client-side code execution in the context of other administrative users' sessions (WPScan).

The vulnerability has been patched in version 2.2.0 of the Simple Side Tab plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).