CVE-2024-11375: 
WordPress vulnerability analysis and mitigation

The WC1C plugin for WordPress (CVE-2024-11375) contains a Reflected Cross-Site Scripting vulnerability affecting all versions up to and including 0.23.0. The vulnerability was discovered by researcher vgo0 and was publicly disclosed on January 6, 2025 (Wordfence Intel).

The vulnerability stems from improper use of the addqueryarg function without appropriate URL escaping. This has been classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has received a CVSS v3.1 score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

If successfully exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on malicious links. The impact is considered moderate, with potential for both information disclosure and integrity compromise (NVD).

Users of the WC1C WordPress plugin should upgrade to a version newer than 0.23.0 when available. Until then, website administrators should exercise caution when clicking on unknown links and consider implementing additional security measures such as Content Security Policy (CSP) headers (NVD).