CVE-2024-11279: 
WordPress vulnerability analysis and mitigation

The Schema App Structured Data plugin for WordPress (versions up to 2.2.4) contains a Reflected Cross-Site Scripting vulnerability identified as CVE-2024-11279. The vulnerability was discovered and disclosed on December 11, 2024, affecting the plugin's URL handling functionality (NVD).

The vulnerability stems from improper escaping in the use of add_query_arg function when handling URLs. This implementation flaw creates a potential attack vector where malicious scripts can be injected into web pages. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating a network-accessible vulnerability requiring user interaction (NVD).

If successfully exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. This could lead to the compromise of user sessions, theft of sensitive information, or manipulation of website content (NVD).

The vulnerability has been patched in version 2.2.5 of the Schema App Structured Data plugin. Users are strongly advised to update to this latest version which includes security fixes addressing the improper sanitization and escaping in admin notices and settings pages (WordPress Plugin).