CVE-2024-54399: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the CRUDLab Google Plus Button WordPress plugin, affecting versions up to 1.0.2. The vulnerability was initially reported by researcher SOPROBRO on October 22, 2024, and was officially published on December 12, 2024. The vulnerability received the identifier CVE-2024-54399 and allows for Stored Cross-Site Scripting (XSS) attacks (Patchstack Database).

The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The issue is classified under CWE-352 (Cross-Site Request Forgery) and requires no authentication to exploit. The vulnerability combines both CSRF and Stored XSS capabilities, making it a potentially serious security concern (NVD, Patchstack Database).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. The combination of CSRF with Stored XSS capabilities increases the potential impact, as it could lead to persistent malicious code execution in the context of other users' sessions (Patchstack Database).

As of the vulnerability disclosure, no official fix is available for the affected versions (<=1.0.2) of the CRUDLab Google Plus Button plugin. Website administrators are advised to consider removing the plugin or implementing additional security controls to mitigate the risk (Patchstack Database).