CVE-2021-24177: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2021-24177 affects the WordPress File Manager plugin versions before 7.1. It was discovered on February 16, 2021, and publicly disclosed on February 26, 2021. The vulnerability is a Reflected Cross-Site Scripting (XSS) issue that occurs in the default configuration of the plugin, which at the time was being used by over 600,000 active installations (Security Advisory).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue, identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability exists on the endpoint /wp-admin/admin.php?page=wpfilemanager_properties where a payload submitted through the User-Agent parameter is reflected back in the web application response without proper sanitization. The vulnerability has received a CVSS score of 5.4 (Medium) (WPScan, Security Advisory).

The vulnerability allows attackers to target administrator users who have access to the plugin configuration page. Successful exploitation could lead to various attacks including cookie theft (if HttpOnly flag is missing from session cookies), web page modification, clipboard content capture, keylogging, port scanning, and dynamic downloads. The attack requires user interaction and can only affect users with administrative privileges (Security Advisory).

The vulnerability was fixed in version 7.1 of the WP File Manager plugin, which was released on February 18, 2021, just two days after the initial vulnerability disclosure. Users are advised to update to version 7.1 or later to protect against this vulnerability (WPScan, Security Advisory).