CVE-2024-3919: 
WordPress vulnerability analysis and mitigation

The OpenPGP Form Encryption for WordPress plugin before version 1.5.1 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and disclosed on July 13, 2024, and is tracked as CVE-2024-3919. The issue affects users with contributor role and above who can exploit the vulnerability through shortcode attributes in WordPress pages or posts (WPScan).

The vulnerability stems from improper validation and escaping of shortcode attributes before they are output back in pages or posts where the shortcode is embedded. The vulnerability has been assigned a CVSS 3.1 base score of 4.6 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N, indicating network accessibility, low attack complexity, required privileges, and user interaction (CISA-ADP).

When exploited, this vulnerability allows authenticated users with contributor privileges or higher to perform Stored Cross-Site Scripting attacks. This could potentially lead to the execution of malicious JavaScript code in users' browsers when viewing affected pages (WPScan).

The vulnerability has been fixed in version 1.5.1 of the OpenPGP Form Encryption for WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).