CVE-2024-51700

CVE-2024-51700 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Stored Cross-site Scripting (XSS) under CWE-79, affecting the NAVER Analytics WordPress plugin by eutrue (naver-analytics). This issue impacts all versions from unknown initial release through 0.9 inclusive. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and scope change.

Unauthenticated attackers (PR:N) can exploit this vulnerability remotely (AV:N) with low complexity (AC:L), though it requires user interaction (UI:R), such as tricking a user into performing an action. The attack scenario involves CSRF leading to stored XSS, where malicious input is injected and persists on the site, executing in the context of other users (S:C) who view affected pages. Successful exploitation enables low-level impacts on confidentiality, integrity, and availability, such as session hijacking or data theft for viewing users.

The primary advisory from Patchstack (https://patchstack.com/database/Wordpress/Plugin/naver-analytics/vulnerability/wordpress-naver-analytics-plugin-0-9-csrf-to-stored-xss-vulnerability?_s_id=cve) documents the CSRF-to-Stored XSS vulnerability specifically in version 0.9 of the WordPress NAVER Analytics plugin. Security practitioners should consult this reference for detailed mitigation steps, including potential patches or configuration changes to prevent exploitation.