CVE-2024-51871

Vulnerability

Analysis

The Luzuk Team plugin for WordPress, versions 0.1.0 and earlier, contains a stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. This flaw exists in the plugin's handling of certain fields, where unsanitized input is stored and later rendered on pages, allowing injection of arbitrary HTML and JavaScript [1].

Exploitation

Prerequisites

Exploitation requires an authenticated user with at least Contributor-level privileges or higher, depending on the plugin's configuration. The attacker injects a malicious payload into a vulnerable field (such as a team member description or similar input). When a site visitor accesses an affected page, the stored script executes in their browser context [1].

Impact

Successful exploitation enables the attacker to perform actions such as redirecting visitors to malicious sites, displaying unwanted advertisements, stealing cookies or session tokens, and defacing the website. The CVSS v3 base score of 6.5 reflects a medium severity, with high impact on integrity and partial impact on confidentiality and availability [1].

Mitigation

Users are strongly advised to update the Luzuk Team plugin to a patched version as soon as it becomes available. Until then, temporary mitigations include restricting the plugin's use to trusted administrators and applying a web application firewall (WAF) to filter XSS attempts. The vulnerability is listed in public advisories, increasing the risk of automated exploitation in mass campaigns [1].