CVE-2024-6264: 
WordPress vulnerability analysis and mitigation

The Post Meta Data Manager plugin for WordPress (CVE-2024-6264) contains a Stored Cross-Site Scripting vulnerability via the '$meta_key' parameter in versions up to and including 1.2.3. The vulnerability was discovered and reported by Wordfence, with the initial disclosure made on July 2, 2024 (NVD CVE).

The vulnerability stems from insufficient input sanitization and output escaping in the Post Meta Data Manager plugin. It has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NIST with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Wordfence assigned a score of 6.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Cross-site Scripting) (NVD CVE).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page (NVD CVE).

A patch has been released to address this vulnerability. Users should upgrade to version 1.3.0 or later of the Post Meta Data Manager plugin (WordPress Patch).