CVE-2024-6462 is a medium severity vulnerability classified as CWE-79 (Cross-Site Scripting or XSS) affecting the DL Yandex Metrika WordPress plugin up to version 1.2. The vulnerability arises because the plugin fails to properly sanitize and escape certain settings inputs. This flaw allows users with high privileges, such as administrators, to inject and store malicious scripts within the plugin's settings. Notably, this attack vector remains exploitable even when the WordPress unfiltered_html capability is disabled, such as in multisite environments, which typically restricts the ability to post unfiltered HTML content. The vulnerability requires high privileges (admin level) and user interaction (an admin must save malicious content), but once exploited, it can lead to stored XSS attacks that execute arbitrary JavaScript in the context of other administrators or users viewing the affected settings pages. The CVSS 3.1 base score is 4.8, reflecting a medium severity with network attack vector, low attack complexity, high privileges required, and user interaction needed. The impact primarily affects confidentiality and integrity by enabling script execution that could steal session tokens, modify settings, or perform actions on behalf of administrators. Availability impact is not significant. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published on May 15, 2025, and was assigned by WPScan. The affected product is a WordPress plugin related to Yandex Metrika, a web analytics service popular in Russian-speaking and some European markets.

For European organizations, this vulnerability poses a moderate risk primarily to websites using the DL Yandex Metrika WordPress plugin. Exploitation could allow attackers with administrative access to inject malicious scripts that compromise site integrity and confidentiality. This could lead to unauthorized actions within the WordPress admin interface, data leakage, or pivoting to other internal systems if combined with other vulnerabilities. Organizations relying on WordPress multisite setups are particularly at risk since the vulnerability bypasses the unfiltered_html capability restriction. Given the plugin's association with Yandex Metrika, which is used for web analytics, organizations using this plugin for tracking and analytics could face data integrity issues or manipulation of analytics data. While the vulnerability requires admin-level privileges, insider threats or compromised admin accounts could be leveraged to exploit this flaw. The absence of known exploits reduces immediate risk, but the medium severity and ease of exploitation by privileged users warrant prompt attention. The impact on availability is minimal, but confidentiality and integrity risks could affect trustworthiness of web assets and user data.

1. Immediate mitigation involves restricting administrative access to trusted personnel only and auditing existing admin accounts for suspicious activity. 2. Disable or remove the DL Yandex Metrika plugin if it is not essential to reduce attack surface. 3. Monitor plugin updates closely and apply patches as soon as they become available from the vendor or WordPress plugin repository. 4. Implement Content Security Policy (CSP) headers to limit the impact of potential XSS payloads by restricting script execution sources. 5. Use Web Application Firewalls (WAFs) with rules to detect and block suspicious input patterns related to stored XSS in plugin settings. 6. Conduct regular security reviews and penetration testing focusing on WordPress plugins and multisite configurations. 7. Educate administrators on the risks of injecting untrusted content into plugin settings and enforce strict input validation policies. 8. Consider isolating analytics plugins in separate environments or subdomains to contain potential compromise.