CVE-2024-11877: 
WordPress vulnerability analysis and mitigation

The Cricket Live Score plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-11877) in versions up to and including 2.0.2. The vulnerability exists in the plugin's 'cricket_score' shortcode due to insufficient input sanitization and output escaping on user-supplied attributes (NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 6.4 (Medium). The attack vector requires network access (N) with low attack complexity (L), requires low privileges (L), no user interaction (N), and has a changed scope (C) with low confidentiality (L) and integrity (L) impacts, but no availability impact (N) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page (NVD).

Users should update the Cricket Live Score plugin to a version newer than 2.0.2 once available. In the meantime, it is recommended to restrict access to the plugin's functionality to trusted users only (NVD).