CVE-2021-24313: 
WordPress vulnerability analysis and mitigation

The WP Prayer WordPress plugin before version 1.6.2 contained an Authenticated Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2021-24313. The vulnerability was discovered in April 2021 and affected the plugin's prayer request functionality, which allows authenticated users to submit and display prayer requests on WordPress websites. The vulnerability was fixed in version 1.6.2, released in May 2021 (WPScan).

The vulnerability exists due to improper input validation in the 'prayer request' and 'praise request' fields of the prayer submission form. The plugin fails to sanitize user input in these fields before storing it in the database, and subsequently fails to properly encode the output when displaying the prayers. The vulnerability has been assigned a CVSS score of 7.4 (High), indicating significant severity. Any authenticated user, regardless of role level (including subscribers), can exploit this vulnerability by injecting malicious JavaScript code into prayer requests (Technical Write-up).

When exploited, this vulnerability allows authenticated attackers to store and execute malicious JavaScript code on pages where prayer requests are displayed. This could potentially lead to cookie theft, session hijacking, or other client-side attacks affecting users who view the compromised prayer request pages. The impact is particularly concerning as the executed JavaScript code runs in the context of the victim's browser session (WPScan).

The recommended mitigation is to update the WP Prayer plugin to version 1.6.2 or later, which includes a fix for this vulnerability. The fix implements proper input validation and sanitization for the prayer request fields (WPScan).