CVE-2024-51678: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Marcel Pol Elo Rating Shortcode WordPress plugin, tracked as CVE-2024-51678. The vulnerability affects versions through 1.0.3 of the plugin and was discovered on October 8, 2024, with public disclosure occurring on November 1, 2024. The vulnerability requires Contributor or higher privileges to exploit (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It has received a CVSS v3.1 base score of 5.4 (Medium) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Patchstack assigned a slightly higher score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability could allow a malicious actor with contributor-level access or higher to inject malicious scripts into the website. These scripts could be used to implement redirects, insert unauthorized advertisements, or execute other HTML payloads that would affect visitors to the affected site (Patchstack).

The vulnerability has been patched in version 1.0.4 of the Elo Rating Shortcode plugin. Users are advised to update to this version or later to remediate the security issue. The vulnerability is considered to have a low severity impact and is deemed unlikely to be exploited (Patchstack).