CVE-2021-24468: 
WordPress vulnerability analysis and mitigation

The Leaflet Map WordPress plugin before version 3.0.0 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24468. The vulnerability was discovered and reported by researcher apple502j, and publicly disclosed on July 1, 2021. The security issue affects the plugin's handling of shortcode attributes, which are not properly escaped before being used in JavaScript code or HTML (WPScan).

The vulnerability stems from improper neutralization of input during web page generation (CWE-79). The CVSS v3.1 base score is 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The issue specifically involves unescaped shortcode attributes that are directly used in JavaScript code or HTML output, making it possible to inject malicious scripts (NVD).

The vulnerability allows users with a role as low as Contributor to exploit stored XSS issues. When successfully exploited, an attacker can inject malicious JavaScript code that executes in the context of other users' browsers who view the affected pages, potentially leading to theft of sensitive information or manipulation of web content (WPScan).

The vulnerability has been fixed in version 3.0.0 of the Leaflet Map plugin. Users are strongly advised to update to this version or later to mitigate the security risk (WPScan).