CVE-2024-6462: 
WordPress vulnerability analysis and mitigation

The DL Yandex Metrika WordPress plugin through version 1.2 contains a stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-6462. The vulnerability was discovered and publicly published on June 7, 2024. The issue affects the plugin's settings functionality where certain fields are not properly sanitized and escaped (WPScan).

The vulnerability stems from improper sanitization and escaping of settings fields in the plugin. Specifically, the field 'Выберите сайт из списк' in the admin dashboard is vulnerable to XSS injection. The vulnerability has been assigned a CVSS score of 4.8 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The issue is particularly notable as it can be exploited even when the unfiltered_html capability is disallowed, such as in multisite setups (NVD, WPScan).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks. This could potentially lead to client-side code execution in the context of other administrators viewing the affected pages. The impact is somewhat limited due to the requirement of administrative access to exploit the vulnerability (WPScan).

Currently, there is no known fix available for this vulnerability in the DL Yandex Metrika plugin. Users should consider implementing additional security measures or evaluating alternative solutions until a patch is released (WPScan).