CVE-2024-11221: 
WordPress vulnerability analysis and mitigation

The Full Screen (Page) Background Image Slideshow WordPress plugin through version 1.1 contains a stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-11221. The vulnerability was discovered by Bob Matyas and was officially assigned on November 14, 2024. This security issue affects WordPress installations using the affected plugin, particularly in multisite setups (WPScan).

The vulnerability stems from improper sanitization and escaping of plugin settings, specifically in the 'Animation Duration' field on the plugin's settings page. The security flaw persists even when the unfiltered_html capability is disabled. The vulnerability has been assigned a CVSS 3.1 score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

When successfully exploited, this vulnerability enables high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks. The impact could lead to client-side code execution in the context of other users' browsers who visit the affected admin pages (WPScan).

Currently, there is no known fix available for this vulnerability. Site administrators should consider implementing additional security measures or temporarily disabling the plugin until a security patch is released (Wiz).