CVE-2024-51872

The Luzuk Testimonials plugin for WordPress, version 0.0.1 and earlier, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This means that user-provided data is not sanitized before being stored and later displayed, allowing the injection of arbitrary HTML and JavaScript.

To exploit this vulnerability, an attacker must have the ability to submit content through the plugin's testimonial submission feature, which typically requires at least contributor-level privileges. The injected script is stored on the server and executed when any user views the affected page, triggering the malicious payload. User interaction is required for some attack vectors, but stored XSS can execute automatically on page load if the injected script runs without user action [1].

Successful exploitation allows an attacker to perform actions such as redirecting visitors to malicious sites, serving advertisements, or stealing sensitive information like session cookies. This can lead to full compromise of the WordPress site if an administrator subsequently views the infected page, potentially allowing escalation to admin-level access [1].

The vulnerability is patched by updating the plugin to a version newer than 0.0.1. Users are advised to update immediately or seek assistance from their hosting provider if unable to do so [1].