CVE-2024-11374: 
WordPress vulnerability analysis and mitigation

The TWChat WordPress plugin (versions up to 4.0.4) contains a Reflected Cross-Site Scripting vulnerability, identified as CVE-2024-11374. The vulnerability was discovered by researcher vgo0 and publicly disclosed on December 6, 2024. The issue affects the 'Send or receive messages from users' functionality in the plugin and has been assigned a CVSS v3.1 score of 6.1 (Medium) (Wordfence Intel).

The vulnerability stems from improper use of the remove_query_arg function without appropriate URL escaping in the plugin's code. This security flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, no privileges required, and user interaction required (NVD Database).

If successfully exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users interact with malicious links. The impact is reflected in the CVSS metrics showing low confidentiality and integrity impact, with no availability impact (NVD Database).

As of December 2024, this vulnerability remains unpatched according to available sources (Wordfence Blog).