CVE-2021-24477: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2021-24477 affects the Migrate Users WordPress plugin through version 1.0.1. The vulnerability was discovered and publicly disclosed on June 28, 2021, by security researcher ABISHEIK M. This security issue combines two vulnerabilities: a Stored Cross-Site Scripting (XSS) vulnerability and a Cross-Site Request Forgery (CSRF) vulnerability (WPScan Advisory).

The vulnerability stems from improper input sanitization and validation in the plugin's Delimiter option. When this option is accessed through the plugin's admin page (/wp-admin/tools.php?page=migrate_users&action=options), the input is neither sanitized nor escaped before being output on the page. Additionally, the plugin lacks CSRF protection mechanisms when saving its options. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows attackers to store and execute malicious JavaScript code in the context of other users' browsers who access the affected pages. When combined with the CSRF vulnerability, attackers can potentially trick administrators into executing actions without their knowledge or consent, leading to stored XSS payload injection (WPScan Advisory).

As of the last update, there is no known fix available for this vulnerability. Users of the Migrate Users WordPress plugin version 1.0.1 or earlier should consider either removing the plugin or implementing additional security controls at the web application firewall level to prevent XSS attacks (WPScan Advisory).