CVE-2021-24428: 
WordPress vulnerability analysis and mitigation

CVE-2021-24428 affects the RSS for Yandex Turbo WordPress plugin through version 1.30. The vulnerability was discovered in the plugin's settings handling functionality, where certain parameters were not properly sanitized or escaped before being saved and output in the admin dashboard. This security issue was publicly disclosed on June 15, 2021, and was assigned a CVE identifier on January 14, 2021 (CVE MITRE, WPScan).

The vulnerability is classified as an Authenticated Stored Cross-Site Scripting (XSS) issue that can be exploited even when the unfiltered_html capability is disallowed. The vulnerability affects multiple plugin parameters including ytnetw, ytnetwspan, ytfeedbacknetw, ytfeedbacknetwspan, ytratingmin, and ytratingmax. The CVSS score for this vulnerability is 3.4 (low severity), and it is categorized under CWE-79 (Cross-site Scripting) (WPScan).

The vulnerability allows authenticated users to inject and store malicious JavaScript code in the plugin's settings, which can then be executed when other administrators access the plugin's admin dashboard. This could potentially lead to unauthorized actions being performed with administrator privileges (WPScan).

The vulnerability was fixed in version 1.31 of the RSS for Yandex Turbo plugin. Users are advised to update to this version or later to protect against this security issue (WPScan).