Cyber Resilience

CVE-2024-11199

Medium

Published: 23 November 2024

Published
23 November 2024
Modified
05 June 2025
KEV Added
Patch
CVSS Score v3.1 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.1373 94.4th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11199 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Rescuethemes Rescue Shortcodes. Its CVSS base score is 6.4 (Medium).

Operationally, ranked in the top 5.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The Rescue Shortcodes plugin for WordPress is affected by a stored cross-site scripting vulnerability in all versions through 2.9. The issue resides in the rescue_progressbar shortcode, where insufficient input sanitization and output escaping on user-supplied attributes allow arbitrary script injection, corresponding to CWE-79 with a CVSS 3.1 score of 6.4.

Authenticated attackers holding contributor-level access or higher can exploit the flaw by embedding malicious payloads in shortcode attributes on pages or posts. The injected scripts execute in the browsers of any visitors who view the compromised content, enabling session hijacking, defacement, or theft of sensitive information within the site context.

The referenced WordPress plugin trac and Wordfence advisory point to an available update that addresses the shortcode handling, with the changeset indicating remediation in versions beyond 2.9; site administrators are advised to apply the latest release from the official repository.

EPSS remains flat at 0.1373 with no observed increase after disclosure.

EU & UK References

Vulnerability details

The Rescue Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's rescue_progressbar shortcode in all versions up to, and including, 2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it…

more

possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

rescuethemes
rescue shortcodes
≤ 3.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References