CVE-2024-9020: 
WordPress vulnerability analysis and mitigation

The List category posts WordPress plugin before version 0.90.3 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered on December 27, 2024, and was assigned CVE-2024-9020. The plugin fails to properly validate and escape certain shortcode attributes before outputting them back in pages or posts where the shortcode is embedded (WPScan).

The vulnerability stems from insufficient validation and escaping of shortcode attributes in the plugin's functionality. Users with contributor-level permissions or higher can exploit this vulnerability by manipulating shortcode attributes that are later rendered in pages or posts. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated users with contributor-level access or higher to perform Stored Cross-Site Scripting (XSS) attacks. This could potentially lead to client-side code execution in the context of other users' browsers who view the affected pages (WPScan).

The vulnerability has been patched in version 0.90.3 of the List category posts plugin. Site administrators are strongly advised to update to this version or later to mitigate the risk (WPScan).