CVE-2024-11875: 
WordPress vulnerability analysis and mitigation

The Add infos to the events calendar plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-11875) discovered in December 2024. The vulnerability affects all versions up to and including 1.4.1 of the plugin. The issue exists in the plugin's 'fuss' shortcode functionality due to insufficient input sanitization and output escaping of user-supplied attributes (NVD CVE).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 6.4 (Medium), and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The technical root cause stems from improper sanitization and escaping of user input in the plugin's 'fuss' shortcode implementation (Wordfence Intel).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever any user accesses the compromised page, potentially leading to session hijacking, credential theft, or other client-side attacks (NVD CVE).

Users should update to version 1.5.0 or later of the Add infos to the events calendar plugin, which contains fixes for this vulnerability (WordPress Plugin).