CVE-2024-11338: 
WordPress vulnerability analysis and mitigation

The PIXNET Plugin for WordPress (versions up to 2.9.10) contains a Stored Cross-Site Scripting vulnerability identified as CVE-2024-11338. The vulnerability was discovered and reported by Wordfence, with the disclosure date being January 7, 2025. The plugin has been closed as of December 31, 2024 due to security issues (WordPress Plugin).

The vulnerability exists due to insufficient input sanitization and output escaping in the 'gtm' and 'venue' parameters. The severity is rated as MEDIUM with a CVSS v3.1 base score of 6.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N). The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

When exploited, this vulnerability allows authenticated attackers with Subscriber-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page (NVD).

The plugin has been closed and is no longer available for download from the WordPress plugin repository as of December 31, 2024. Users are advised to remove this plugin from their WordPress installations immediately (WordPress Plugin).