CVE-2024-51860: 
WordPress vulnerability analysis and mitigation

The Custom Dashboard Widget WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-51860. The vulnerability affects versions up to and including 1.0.0 of the plugin, discovered on November 8, 2024, by researcher SOPROBRO. The security issue stems from insufficient input sanitization and output escaping in the DuoGeek Custom Dashboard Widget (WPScan, Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 score of 6.5 (Medium) from Patchstack, with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The issue requires contributor-level access or higher to exploit, making it an authenticated vulnerability (NVD, Patchstack).

When exploited, this vulnerability allows authenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses the injected page. This could enable malicious actors to inject various payloads including redirects, advertisements, and other HTML content that executes in visitors' browsers (Patchstack).

Currently, there is no official fix available for this vulnerability. The issue affects version 1.0.0 and earlier versions of the Custom Dashboard Widget plugin (WPScan).