CVE-2021-24409: 
WordPress vulnerability analysis and mitigation

The Prismatic WordPress plugin before version 2.8 contains a reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24409. The vulnerability was discovered and disclosed on June 21, 2021. The issue affects the plugin's handling of the 'tab' GET parameter in the WordPress admin interface, which fails to properly escape user input before outputting it back in an attribute (WPScan).

The vulnerability exists due to improper neutralization of input during web page generation, specifically in the handling of the 'tab' GET parameter. When this parameter is processed in the WordPress admin interface at the path '/wp-admin/options-general.php?page=prismatic', the input is not properly escaped before being reflected back in an attribute. The vulnerability has been assigned a CVSS 3.1 Base Score of 6.1 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) (NVD).

When successfully exploited, this XSS vulnerability can be executed in the context of a logged-in administrator. This could potentially allow an attacker to perform actions with administrator privileges, access sensitive information, or manipulate the admin interface (WPScan).

The vulnerability has been fixed in version 2.8 of the Prismatic plugin. Site administrators are strongly advised to update to this version or later to protect against this security issue (WPScan).