CVE-2021-24470: 
WordPress vulnerability analysis and mitigation

The Yada Wiki WordPress plugin versions before 3.4.1 contained a Stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24470. The vulnerability was discovered and reported by researcher apple502j, and was publicly disclosed on June 28, 2021. The security issue affected the plugin's shortcode functionality, specifically impacting WordPress installations using the Yada Wiki plugin (WPScan).

The vulnerability stems from improper input validation where the plugin failed to sanitize, validate, or escape the anchor attribute of its shortcode. This security flaw has been assigned a CVSS score of 6.8 (medium severity) and is classified under CWE-79 (Cross-site Scripting). The vulnerability could be exploited by users with Contributor-level access or higher (WPScan).

When successfully exploited, this vulnerability allows attackers to inject and execute malicious JavaScript code in the context of other users' browsers who view the affected pages. Since this is a stored XSS vulnerability, the malicious code persists in the database and executes whenever users access the compromised page (WPScan).

The vulnerability has been patched in version 3.4.1 of the Yada Wiki plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).