CVE-2024-11414: 
WordPress vulnerability analysis and mitigation

The RecipePress Reloaded plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-11414) affecting all versions up to and including 2.12.0. The vulnerability was discovered and reported by SOPROBRO, and the plugin was subsequently closed on November 20, 2024, due to security concerns (NVD, WordPress Plugin).

The vulnerability stems from insufficient input sanitization and output escaping in the Recipe Ingredients functionality. It has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) (Wordfence).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to unauthorized data access or manipulation of user interactions (NVD).

As of November 20, 2024, the plugin has been closed and is no longer available for download from the WordPress plugin repository due to this security issue. Users are advised to remove the plugin from their WordPress installations until a secure alternative can be implemented (WordPress Plugin).