CVE-2024-11189: 
WordPress vulnerability analysis and mitigation

The Social Share And Social Locker WordPress plugin (ARSocial) before version 1.4.2 contains a security vulnerability identified as CVE-2024-11189. The vulnerability was discovered by security researcher Bob Matyas and was publicly disclosed on February 25, 2025. This security issue affects the plugin's settings functionality, specifically impacting WordPress installations, including multisite setups (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, categorized under CWE-79. The security flaw exists due to insufficient sanitization and escaping of certain plugin settings, specifically in the Social Network Configuration section where input validation is inadequate. The vulnerability has been assigned a CVSS score of 4.8 (Medium severity) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (WPScan, NVD).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is explicitly disallowed. This is particularly concerning in multisite WordPress setups where strict content filtering is typically enforced (NVD).

The vulnerability has been patched in version 1.4.2 of the Social Share And Social Locker WordPress plugin. Users are strongly advised to update to this version or later to mitigate the security risk (WPScan).