CVE-2024-51573 identifies a Stored Cross-site Scripting (XSS) vulnerability in the ersatzpole ML Responsive Audio player with playlist Shortcode, a WordPress plugin designed to embed audio playlists responsively. The vulnerability stems from improper neutralization of user-supplied input during web page generation, which allows malicious scripts to be stored persistently within the plugin's data fields. When a victim accesses a page containing the malicious payload, the injected script executes in their browser context. This can lead to a range of attacks including session hijacking, theft of cookies or credentials, defacement, or redirection to malicious sites. The affected versions include all versions up to and including 0.2, with no patches currently available. The plugin’s user base is relatively limited compared to mainstream plugins, but any site using it is at risk. The vulnerability does not require authentication to exploit, and no user interaction beyond visiting a compromised page is necessary. Although no known exploits are currently in the wild, the stored nature of the XSS makes it particularly dangerous as the malicious payload can affect multiple users over time. The absence of a CVSS score requires an assessment based on impact and exploitability factors.

The primary impact of this vulnerability is on the confidentiality and integrity of user data and sessions. Attackers can execute arbitrary JavaScript in the context of affected websites, potentially stealing session cookies, redirecting users to malicious sites, or performing actions on behalf of users without their consent. This can lead to account compromise, data leakage, and reputational damage for affected organizations. Since the vulnerability is stored XSS, it can persist and affect multiple users, increasing the attack surface. Websites using the affected plugin, especially those with logged-in users or sensitive data, are at higher risk. The availability impact is generally low unless attackers use the vulnerability to deface or disrupt site functionality. Given the plugin’s niche usage, the global impact is limited but significant for affected sites, particularly those in sectors relying on WordPress audio content delivery such as media, education, and entertainment.

Organizations should immediately audit their WordPress sites for the presence of the ersatzpole ML Responsive Audio player with playlist Shortcode plugin and identify affected versions (<= 0.2). Until an official patch is released, administrators should consider disabling or removing the plugin to eliminate exposure. Implement strict input validation and output encoding on all user-supplied data fields related to the plugin to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Monitor web server and application logs for unusual input patterns or suspicious activity indicative of exploitation attempts. Educate site administrators and users about the risks of clicking on untrusted links. Once a patch is available, apply it promptly. Additionally, consider using web application firewalls (WAFs) with rules targeting XSS payloads to provide an additional layer of defense.