CVE-2024-11195: 
WordPress vulnerability analysis and mitigation

The Email Subscription Popup plugin for WordPress (versions up to 1.2.22) contains a Stored Cross-Site Scripting vulnerability (CVE-2024-11195). The vulnerability exists in the plugin's print_email_subscribe_form shortcode functionality due to insufficient input sanitization and output escaping on user-supplied attributes (NVD).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 6.4 (Medium). The attack vector is network-accessible (AV:N), requires low attack complexity (AC:L), needs low privileges (PR:L), requires no user interaction (UI:N), and has a changed scope (S:C) with low confidentiality and integrity impacts (C:L, I:L) and no availability impact (A:N) (NVD).

This vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to theft of sensitive information or manipulation of page content (NVD).

The vulnerability has been patched in version 1.2.23 of the Email Subscription Popup plugin. Users are advised to update to the latest version to protect against this security issue (WordPress Plugin).