CVE-2024-51612: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in Ken Charity Reftagger Shortcode WordPress plugin through version 1.1. The vulnerability was discovered on October 31, 2024, and was assigned CVE-2024-51612. The issue affects all versions of the Reftagger Shortcode plugin up to and including version 1.1 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) issue. It has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability is associated with CWE-79, which relates to improper neutralization of input during web page generation (Patchstack).

This vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site. The vulnerability requires a minimum of Contributor-level privileges to exploit (Patchstack).

Currently, there is no official fix available for this vulnerability. The issue affects version 1.1 and earlier versions of the plugin, but no patched version has been released at the time of reporting (Patchstack).

The vulnerability was initially reported by researcher SOPROBRO on October 19, 2024. Patchstack issued an early warning to their customers on October 31, 2024, before publishing the vulnerability details on November 2, 2024 (Patchstack).