CVE-2024-51591: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability has been identified in wpgrids Slicko plugin for WordPress, affecting versions up to and including 1.2.0. The vulnerability was discovered on October 31, 2024, and allows DOM-Based XSS attacks through insufficient input sanitization and output escaping (Patchstack, WPScan).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 5.4 (Medium) from NVD with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. Patchstack has assigned a slightly higher CVSS score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an injected page, potentially leading to data theft, session hijacking, or other malicious actions (WPScan).

Currently, there is no known fix available for this vulnerability. Users are advised to implement additional access controls and monitor contributor-level account activities (Patchstack).