CVE-2024-12818: 
WordPress vulnerability analysis and mitigation

The WP Smart TV plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-12818) in versions up to and including 2.1.8. The vulnerability exists in the plugin's 'tv-video-player' shortcode due to insufficient input sanitization and output escaping on user-supplied attributes (NVD).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 6.4 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability stems from improper neutralization of input during web page generation, specifically in the handling of user-supplied attributes in the 'tv-video-player' shortcode (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever any user accesses the compromised page (NVD).

Users should update their WP Smart TV plugin to a version newer than 2.1.8 when available. Until then, site administrators should carefully monitor and restrict access to users with contributor-level permissions or higher (NVD).