CVE-2024-11924: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2024-11924) affects the Icegram Express (formerly known as Email Subscribers) WordPress plugin versions before 5.7.52. The vulnerability was discovered by Dmitrii Ignatyev and was publicly disclosed on March 27, 2025. This security issue involves improper sanitization and escaping of plugin settings, potentially enabling stored Cross-Site Scripting (XSS) attacks (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 3.5 (LOW), and vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N. The technical issue stems from the plugin's failure to properly sanitize and escape certain settings, which can be exploited even when the unfiltered_html capability is disabled, such as in multisite setups (NVD).

The vulnerability allows high-privilege users, such as administrators, to perform Stored Cross-Site Scripting attacks. This can potentially lead to client-side code execution in the context of other users' browsers who view the affected content, even in environments where the unfiltered_html capability is explicitly disallowed (WPScan).

The vulnerability has been patched in version 5.7.52 of the Icegram Express plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).