CVE-2024-9027: 
WordPress vulnerability analysis and mitigation

The WPZOOM Shortcodes plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-9027) affecting all versions up to and including 1.0.5. The vulnerability was discovered and disclosed on September 24, 2024, impacting the plugin's 'box' shortcode functionality (NVD CVE).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's 'box' shortcode. The issue has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NVD with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Wordfence assessed it at 6.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD CVE).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page (NVD CVE).

The plugin has been permanently closed as of September 23, 2024, and is no longer available for download. Users should remove the plugin from their WordPress installations to mitigate the vulnerability (WordPress Plugin).