CVE-2024-51889: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in GeroNikolov's Fancy User List WordPress plugin, affecting versions up to and including 3.1. The vulnerability was discovered by SOPROBRO and was disclosed on November 8, 2024, receiving the identifier CVE-2024-51889 (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. This indicates that the vulnerability requires low attack complexity, requires low privileges, and needs user interaction for exploitation. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability allows attackers to inject malicious scripts into the website, which can then be executed when visitors access the affected pages. These scripts could potentially be used to redirect users, inject unwanted advertisements, or execute other malicious HTML payloads (Patchstack).

As of the disclosure date, no official fix has been released for this vulnerability. The security issue has been classified as having a low severity impact and is considered unlikely to be exploited (Patchstack).