CVE-2024-11582: 
WordPress vulnerability analysis and mitigation

The Subscribe2 – Form, Email Subscribers & Newsletters plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-11582) affecting all versions up to and including 10.43. The vulnerability was discovered and reported by Wordfence, with the disclosure date of February 18, 2025 (NVD).

The vulnerability exists due to insufficient input sanitization and output escaping of the ip parameter. It has been assigned a CVSS v3.1 base score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD, Wordfence).

This vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses an injected page. The impact is considered significant as it can lead to the compromise of user data and potential session hijacking (NVD).

Users should upgrade to a version newer than 10.43 when available. The vulnerability has been identified in the source code at class-s2-list-table.php (WordPress Plugin).