CVE-2024-51572: 
WordPress vulnerability analysis and mitigation

The LH QR Codes WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability affecting versions up to and including 1.06. The vulnerability was discovered by researcher SOPROBRO and was publicly disclosed on October 31, 2024. This security issue has been assigned CVE-2024-51572 and affects the plugin's web page generation functionality due to insufficient input sanitization (Patchstack, WPScan).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The security issue stems from insufficient input sanitization and output escaping in the plugin's functionality (Patchstack).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page. This could enable attackers to inject malicious scripts, redirects, advertisements, and other HTML payloads that execute in visitors' browsers (WPScan, Patchstack).

Currently, there is no official fix available for this vulnerability. The security issue has been classified as having a low severity impact and is considered unlikely to be exploited (Patchstack).