The WP Feature Box plugin for WordPress, developed by Miguel Peixe, contains a stored cross-site scripting vulnerability identified as CVE-2024-51611. This vulnerability is due to improper input sanitization during web page generation, which can allow an attacker with at least low privileges and user interaction to inject malicious scripts that persist and execute in other users' browsers. The affected versions include all versions up to 0.1.3. The CVSS 3.1 vector indicates network attack vector, low attack complexity, low privileges required, user interaction required, scope changed, and impacts on confidentiality, integrity, and availability at a low level.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of the affected site, potentially leading to information disclosure, modification of site content, or disruption of service. The impact is rated medium based on the CVSS score of 6.5. There are no reports of active exploitation in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or removing the WP Feature Box plugin if possible, or restrict access to trusted users only. Monitor official channels for updates from the vendor regarding patches or mitigations.