CVE-2021-24213: 
WordPress vulnerability analysis and mitigation

The GiveWP WordPress plugin before version 2.10.0 was affected by a reflected Cross-Site Scripting (XSS) vulnerability in the administration panel. The vulnerability was discovered in the 's' GET parameter on the Donors page and has been present since version 2.4.0 (January 16th, 2019). The issue was assigned CVE-2021-24213 and affected over 100,000 WordPress installations at the time of discovery (Bentlee Blog, WPScan).

The vulnerability existed in the class-donor-table.php file where the 's' parameter was not properly sanitized before being reflected back to users. The XSS payload could be triggered via a specially crafted URL in the administration panel. The vulnerability received a CVSS score of 7.1 (High) and was classified under CWE-79 (WPScan).

The vulnerability required user interaction from an administrator to be exploited. If successfully exploited, it could allow attackers to execute arbitrary JavaScript code in the context of the administrator's browser session (Bentlee Blog).

The vulnerability was fixed in GiveWP version 2.10.0, which was released approximately 8 hours after the initial report to the vendor. Users were advised to upgrade to this version to remediate the issue (Bentlee Blog).

The vendor responded quickly to the vulnerability report, releasing a fix the same day it was reported. The disclosure process was handled through the WPScan CNA, which issued the CVE identifier (Bentlee Blog).