CVE-2021-24433: 
WordPress vulnerability analysis and mitigation

The simple sort&search WordPress plugin through version 0.0.3 contains a stored cross-site scripting vulnerability identified as CVE-2021-24433. The vulnerability was discovered by apple502j and publicly disclosed on June 21, 2021. This security issue affects the plugin's shortcode functionality, specifically impacting users with Contributor-level access or higher (WPScan).

The vulnerability stems from improper validation of the 'indexurl' parameter in multiple shortcodes including 'category_sims', 'order_sims', 'orderby_sims', 'period_sims', and 'tag_sims'. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows users with Contributor-level access to inject malicious JavaScript code through the plugin's shortcodes. The stored XSS payload gets executed when other users view the affected content, potentially leading to session hijacking, credential theft, or other client-side attacks (WPScan).

There is no known fix available for this vulnerability as of the last update. Users are advised to either remove the plugin or implement additional security controls to restrict access to users who can create and edit posts (WPScan).