CVE-2021-24388: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2021-24388 affects the VikRentCar Car Rental Management System WordPress plugin versions before 1.1.7. The vulnerability was discovered and publicly disclosed on June 14, 2021, by security researcher Satyender Yadav. This security issue combines a Cross-Site Scripting (XSS) vulnerability with a Cross-Site Request Forgery (CSRF) weakness in the plugin's custom field management functionality (WPScan).

The vulnerability stems from improper input validation in the custom field option feature of the plugin. The field name is neither sanitized nor escaped before being output back to the page, resulting in a stored Cross-Site Scripting vulnerability. Additionally, the absence of CSRF protection in the settings saving mechanism allows attackers to manipulate logged-in administrators into setting arbitrary Custom Fields, including those containing XSS payloads. The vulnerability has received a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows attackers to execute arbitrary JavaScript code in the context of other users' browsers, including administrators. This can lead to potential theft of sensitive information, session hijacking, or manipulation of the plugin's settings. The attack requires user interaction and a logged-in administrator to be successful (WPScan).

The vulnerability has been addressed in two phases: the XSS issue was fixed in version 1.1.6, and the CSRF vulnerability was patched in version 1.1.7. Users are strongly advised to update their VikRentCar Car Rental Management System plugin to version 1.1.7 or later to fully mitigate both security issues (WPScan).