CVE-2021-24448: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2021-24448 affects the User Registration & User Profile – Profile Builder WordPress plugin versions before 3.4.8. The vulnerability was discovered and publicly disclosed on June 30, 2021, by security researcher Akash Rajendra Patil. This security issue involves an authenticated Stored Cross-Site Scripting (XSS) vulnerability in the plugin's 'Modify default Redirect Delay timer' setting (WPScan).

The vulnerability stems from improper sanitization and escaping of the 'Modify default Redirect Delay timer' setting in the plugin. This security flaw allows high-privilege users to inject JavaScript code even when the unfiltered_html capability is disallowed. The vulnerability has been assigned a CVSS score of 4.8 (medium severity) and is classified as CWE-79, falling under the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan).

The vulnerability allows authenticated users with high privileges to inject and store malicious JavaScript code in the plugin settings. This stored XSS vulnerability could potentially be used to perform actions on behalf of other users who access the affected areas of the WordPress admin panel (WPScan).

The vulnerability has been fixed in version 3.4.8 of the Profile Builder plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).