CVE-2024-25094: 
WordPress vulnerability analysis and mitigation

The PJ News Ticker WordPress plugin through version 1.9.5 contains a Stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered by Ngô Thiên An (ancorn) and was disclosed on February 12, 2024. The issue affects the plugin's shortcode functionality and impacts WordPress installations using PJ News Ticker versions up to and including 1.9.5 ([Patchstack](https://patchstack.com/database/vulnerability/pj-news-ticker/wordpress-pj-news-ticker-plugin-1-9-5-cross-site-scripting-xss-vulnerability?s_id=cve)).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's shortcode functionality. This security flaw has been assigned CVE-2024-25094. The vulnerability has received a CVSS v3.1 base score of 5.4 (Medium) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Patchstack assigned it a score of 6.5 (Medium) (WPScan).

The vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to compromised user sessions, data theft, or other malicious actions (WPScan).

The vulnerability has been patched in version 1.9.6 of the PJ News Ticker plugin. Site administrators are strongly advised to update to this version or later to address the security issue (Patchstack).