CVE-2024-11910: 
WordPress vulnerability analysis and mitigation

The WP Crowdfunding plugin for WordPress (versions up to 2.1.12) contains a Stored Cross-Site Scripting vulnerability (CVE-2024-11910) discovered in December 2024. The vulnerability exists in the wp-crowdfunding/search block due to insufficient input sanitization and output escaping (NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 5.4 (Medium) according to NVD, and 6.4 (Medium) according to Wordfence. The attack vector requires an authenticated attacker with Contributor-level access or higher privileges. The vulnerability stems from improper input sanitization and output escaping in the wp-crowdfunding/search block functionality (NVD, Wordfence).

When successfully exploited, the vulnerability allows authenticated attackers to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to theft of sensitive information or manipulation of page content (NVD).

The vulnerability has been patched in version 2.1.13 of the WP Crowdfunding plugin. Site administrators are strongly advised to update to this latest version to protect against potential attacks (WordPress Plugin).