CVE-2024-11357: 
WordPress vulnerability analysis and mitigation

The goodlayers-core WordPress plugin before version 2.0.10 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered by Bob Matyas and was disclosed on December 12, 2024, receiving the identifier CVE-2024-11357. This security issue affects users with contributor role and above, as the plugin fails to properly sanitize and escape some of its settings (WPScan).

The vulnerability stems from insufficient sanitization and escaping of settings within the plugin. It has been assigned a CVSS v3.1 score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The issue specifically affects the plugin's handling of element settings, such as the Accordion Element, where unsanitized input can be stored and later executed (WPScan, NVD).

When exploited, this vulnerability allows authenticated users with contributor privileges or higher to perform Stored Cross-Site Scripting attacks. The stored XSS payload can affect administrators reviewing posts, potentially leading to unauthorized actions being performed in their browser context (WPScan).

The vulnerability has been patched in version 2.0.10 of the goodlayers-core plugin. Site administrators are strongly advised to update to this version or later to mitigate the risk (WPScan).