CVE-2024-51583: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in KentoThemes Kento Ads Rotator WordPress plugin, affecting versions up to and including 1.3. The vulnerability was discovered by SOPROBRO and publicly disclosed on October 31, 2024. This security issue allows authenticated users with contributor-level access or higher to inject malicious web scripts into pages (WPScan, Patchstack).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's functionality. It has been assigned CVE-2024-51583 and received varying CVSS scores: NIST rates it at 5.4 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Patchstack assigns it a score of 6.5 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

When exploited, this vulnerability allows attackers to inject arbitrary web scripts that execute whenever a user accesses an affected page. The injected scripts could potentially be used to redirect users, display unwanted advertisements, or execute other malicious HTML payloads on the website (Patchstack).

Currently, there is no official fix available for this vulnerability. The security issue has been classified as having a low priority for virtual patching, suggesting that while it poses a risk, it is unlikely to be widely exploited (Patchstack).

The vulnerability has been acknowledged and documented by several security platforms including Wordfence, WPScan, and Patchstack, indicating significant attention from the WordPress security community (Wordfence).