CVE-2024-11202: 
WordPress vulnerability analysis and mitigation

Multiple WordPress plugins developed by CreativeMinds are affected by a Reflected Cross-Site Scripting vulnerability (CVE-2024-11202) via the cmindsfreeguide shortcode. The vulnerability was discovered and disclosed on November 26, 2024, affecting various versions of plugins including CM Business Directory, CM Email Blacklist, CM Header Footer Script Loader, CM On-Demand Search and Replace, CM Pop-Up Banners, CM Video Lesson Manager, and Enhanced Tooltip Glossary (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the cmindsfreeguide shortcode implementation across multiple CreativeMinds plugins. The CVSS v3.1 base score is 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) (NVD).

When successfully exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. This could potentially lead to the compromise of user sessions or the execution of unauthorized actions on behalf of the victim (NVD).

Multiple patches have been released through various plugin updates, as evidenced by the changelog entries and WordPress repository updates. Users are advised to update their affected CreativeMinds plugins to their latest versions (WordPress Plugin).