CVE-2021-24485: 
WordPress vulnerability analysis and mitigation

The Special Text Boxes WordPress plugin (wp-special-textboxes) before version 5.9.110 contains a Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24485. The vulnerability was discovered by Akash Rajendra Patil and publicly disclosed on September 21, 2021. The issue affects the plugin's settings functionality, specifically impacting WordPress installations using this plugin (WPScan).

The vulnerability stems from improper sanitization and escaping of settings within the plugin. This security flaw exists in the 'Basic Settings' section of the plugin's configuration page (/wp-admin/admin.php?page=stb-settings). The vulnerability is classified as CWE-79 (Cross-Site Scripting) and has been assigned a CVSS score of 3.4 (low severity). A proof of concept demonstrates that an attacker can inject malicious scripts using the payload '" autofocus onfocus=alert(/XSS/)//' in any field within the Basic Settings section (WPScan).

The vulnerability allows high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. This could potentially lead to the execution of malicious JavaScript code in the context of other users' browsers who access the affected pages (WPScan).

The vulnerability has been fixed in version 5.9.110 of the Special Text Boxes WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).