CVE-2021-24476: 
WordPress vulnerability analysis and mitigation

The Steam Group Viewer WordPress plugin through version 2.1 contains a stored Cross-Site Scripting (XSS) vulnerability that was discovered and publicly disclosed on June 28, 2021. The vulnerability affects the plugin's settings functionality, specifically in the handling of the 'Steam Group Address' field. This security issue has been assigned CVE-2021-24476 (WPScan Advisory).

The vulnerability stems from improper input sanitization and escaping of the 'Steam Group Address' settings field before it is output on the page. This security flaw has been classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has received a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows authenticated users to store and execute malicious JavaScript code through the plugin's settings interface. When exploited, this could lead to client-side attacks against other users who access the affected pages (WPScan Advisory).

As of the latest available information, there is no known fix for this vulnerability. Users of the Steam Group Viewer WordPress plugin version 2.1 or earlier should consider either removing the plugin or implementing additional security controls to restrict access to the plugin's settings (WPScan Advisory).