CVE-2024-11428: 
WordPress vulnerability analysis and mitigation

The Lazy load videos and sticky control plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-11428) affecting all versions up to and including 3.0.0. The vulnerability exists in the plugin's 'lazy-load-videos-and-sticky-control' shortcode due to insufficient input sanitization and output escaping on user-supplied attributes (NVD).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 6.4 (Medium), and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability stems from improper neutralization of input during web page generation, specifically in the handling of user-supplied attributes in the plugin's shortcode functionality (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page (NVD).

The vulnerability has been addressed in version 3.0.1 of the plugin, released on November 21, 2024. Users are advised to update to this latest version, which includes a comprehensive security review and WordPress coding standards compliance updates (WordPress Plugin).