CVE-2024-11287: 
WordPress vulnerability analysis and mitigation

The Ebook Store plugin for WordPress contains a Reflected Cross-Site Scripting vulnerability (CVE-2024-11287) that affects all versions up to and including 5.8001. The vulnerability was discovered and reported by Wordfence, with the initial disclosure made on December 21, 2024 (CVE Details).

The vulnerability stems from improper use of the add_query_arg function without appropriate URL escaping. This implementation flaw has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (CVE Details).

If successfully exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. The potential impact includes unauthorized information disclosure and possible manipulation of user interactions with the affected WordPress site (CVE Details).

Users running affected versions of the Ebook Store WordPress plugin (versions up to and including 5.8001) should update to a patched version when available. In the meantime, website administrators should implement additional security controls and monitor for suspicious activities (CVE Details).