CVE-2021-24366: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2021-24366 affects the Admin Columns WordPress plugin (both Free and Pro versions) before versions 4.3 and 5.5.1 respectively. The vulnerability was discovered by Daniel Elkabes of WhiteSource and was publicly disclosed on May 31, 2021. The issue stems from improper sanitization and escaping of Label settings in the plugin (WPScan, CVE Mitre).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS score of 3.4 (low severity). The technical root cause is the lack of proper input validation for the Label parameter in the plugin's custom column field feature. This security flaw is categorized as CWE-79: Improper Neutralization of Input During Web Page Generation (WhiteSource).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is disallowed, such as in multisite setups. This could potentially lead to the execution of arbitrary JavaScript code in the context of other users' browsers (CVE Mitre).

The vulnerability has been patched in Admin Columns Free version 4.3 and Admin Columns Pro version 5.5.1. Users are advised to upgrade to these versions or later to mitigate the risk. The fix involves proper sanitization of the Label settings as evidenced in the patch (GitHub Commit).