CVE-2021-24176: 
WordPress vulnerability analysis and mitigation

The JH 404 Logger WordPress plugin through version 1.1 contains an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2021-24176. The vulnerability was discovered and reported by security researcher Ganesh Bagaria, and was publicly disclosed on March 11, 2021. This security flaw affects the plugin's handling of 404 page logging functionality in the WordPress dashboard (WPScan, Researcher Blog).

The vulnerability stems from improper sanitization of the referer and path parameters of 404 pages when they are displayed in the WordPress dashboard. This security weakness is classified as CWE-79 (Cross-Site Scripting) and has received a critical CVSS score of 9.6. A proof of concept exploit can be executed using a simple curl command to send a malformed request to a non-existing page (WPScan).

When successfully exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the WordPress dashboard. The impact is particularly severe as it could potentially lead to the theft of authentication cookies and other sensitive information, especially in cases where httpOnly flags are not implemented on authentication cookies (Researcher Blog).

As of the vulnerability disclosure, no official fix has been released for the JH 404 Logger plugin. Website administrators using this plugin should consider either removing it or implementing additional security controls to prevent exploitation of this vulnerability (WPScan).