CVE-2024-51594: 
WordPress vulnerability analysis and mitigation

The Gmap Point List WordPress plugin through version 1.1.2 contains a Stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered by SOPROBRO and publicly disclosed on October 31, 2024. The affected software is Rafel Sansó's Gmap Point List plugin for WordPress, with all versions up to and including 1.1.2 being vulnerable (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79), specifically a Stored Cross-Site Scripting (XSS) issue. It has received a CVSS v3.1 base score of 5.4 (Medium) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Patchstack assigned it a slightly higher score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability allows malicious actors to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into the website, which will be executed when guests visit the site. The attack requires contributor-level privileges to exploit (Patchstack).

Currently, there is no official fix available for this vulnerability. Given the low severity impact and unlikely exploitation potential, no immediate mitigation action is deemed necessary (Patchstack).