CVE-2024-11938: 
WordPress vulnerability analysis and mitigation

The One Click Upsell Funnel for WooCommerce plugin is vulnerable to Stored Cross-Site Scripting via the plugin's wpswocufpro_yes shortcode in versions up to and including 3.4.9. The vulnerability was discovered and disclosed on December 21, 2024. This security issue affects WordPress installations using the affected plugin versions (NVD).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the wpswocufpro_yes shortcode. The issue has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) (NVD).

The vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an injected page, potentially compromising user data or performing unauthorized actions on behalf of the visiting users (NVD).

Users should update to a version newer than 3.4.9 when available. The vulnerability was fixed in version 3.4.10, released on December 20, 2024, which addressed the security issues (WordPress Plugin).