CVE-2024-11886
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
The vCita plugin for WordPress <= 2.7.1 has a Stored XSS vulnerability in its 'vCitaMeetingScheduler' shortcode, allowing contributor-level attackers to inject arbitrary web scripts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The vCita plugin for WordPress <= 2.7.1 has a Stored XSS vulnerability in its 'vCitaMeetingScheduler' shortcode, allowing contributor-level attackers to inject arbitrary web scripts.
Vulnerability
A stored cross-site scripting vulnerability exists in the Contact Form and Calls To Action by vcita plugin for WordPress, up to and including version 2.7.1 [1][2]. The flaw resides in the plugin's vCitaMeetingScheduler shortcode handler, which fails to properly sanitize user-supplied attributes and escape output [1][2]. This allows attributes like title, width, or height to contain arbitrary JavaScript that is injected into the page HTML and later executed in the browser of any visitor viewing the affected page [1][2].
Exploitation
An attacker must have an account with at least contributor-level access on the target WordPress site [1][2]. With that access, the attacker creates or edits a post or page and includes the [vCitaMeetingScheduler] shortcode with a malicious payload in one of its attributes, such as title [1][2]. No other privileges or user interaction beyond viewing the page is required; the injected script executes automatically when any user accesses the crafted page [1][2].
Impact
Successful exploitation results in arbitrary JavaScript execution in the context of the victim's browser session on the affected WordPress site [1][2]. This can lead to session hijacking, defacement, theft of authentication cookies, or redirection to malicious sites, compromising the confidentiality and integrity of the site and its users [1][2]. The attacker can also use this to impersonate other users or escalate privileges if combined with other vulnerabilities [1][2].
Mitigation
The vendor has not released a patched version as of the publication date; however, users should update to the latest available version once it is provided [1][2]. As a workaround, site administrators can restrict contributor-level access to trusted users only, disable the vulnerable shortcode via WordPress filters, or use a web application firewall to block malicious attribute patterns [1][2]. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of this writing.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=2.7.1+ 1 more
- (no CPE)range: <=2.7.1
- (no CPE)range: <=2.7.1
Patches
0lead-capturing-call-to-actions-by-vcitaThis plugin has been removed from the WordPress.org directory on 2025-01-30 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- plugins.trac.wordpress.org/browser/lead-capturing-call-to-actions-by-vcita/trunk/lead-capturing-call-to-actions.phpnvd
- plugins.trac.wordpress.org/browser/lead-capturing-call-to-actions-by-vcita/trunk/vcita-widgets-functions.phpnvd
- plugins.trac.wordpress.org/browser/lead-capturing-call-to-actions-by-vcita/trunk/vcita-widgets-functions.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/4a9021b4-54f8-4ba3-bc81-49271dde1b44nvd
News mentions
0No linked articles in our index yet.