CVE-2021-24478: 
NixOS vulnerability analysis and mitigation

The Bookshelf WordPress plugin through version 2.0.4 contains an authenticated Stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and publicly disclosed on June 28, 2021. The issue stems from the plugin's failure to properly sanitize or escape the 'Paypal email address' setting before outputting it in the page (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS score of 5.5 (medium severity) and is identified as CWE-79. The vulnerability can be exploited by adding malicious JavaScript code in the 'Paypal email address' setting of the plugin, which can be accessed at /wp-admin/admin.php?page=bookshelf-settings. A proof of concept exploit involves inserting the payload '">alert(/XSS/)' into the Paypal email address field (WPScan).

When successfully exploited, this vulnerability allows authenticated users to store and execute malicious JavaScript code that will be executed in other users' browsers when they access the affected pages. This could lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected users' sessions (WPScan).

As of the last update, there is no known fix available for this vulnerability. Users of the Bookshelf WordPress plugin version 2.0.4 or earlier should consider implementing additional security controls or removing the plugin until a patch is available (WPScan).