CVE-2021-24382: 
WordPress vulnerability analysis and mitigation

The Smart Slider 3 Free and Pro WordPress plugins before version 3.5.0.9 contained a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24382. The vulnerability was discovered in June 2021 and stemmed from insufficient sanitization of the Project Name field before outputting it back in the page (WPScan, NVD).

The vulnerability allowed for stored XSS attacks through the Project Name parameter in the plugin's dashboard. By default, only administrator users could access this functionality. The issue could be exploited by entering JavaScript payloads within the Name field (projectName parameter) in the Dashboard -> New Project section. The vulnerability received a CVSS score of 4.8 (medium severity) and was classified under CWE-79 (WPScan).

While the vulnerability's impact was limited by default administrator-only access, in cases where WordPress admins granted lesser privileged users access to the plugin's functionality, privilege escalation could be performed. The stored XSS could potentially allow attackers to execute malicious JavaScript code in users' browsers (WPScan).

The vulnerability was patched in version 3.5.0.9 of both Smart Slider 3 Free and Pro versions. Users were advised to update their installations to this version or newer to mitigate the risk (Smart Slider Changelog).