CVE-2021-24489: 
WordPress vulnerability analysis and mitigation

CVE-2021-24489 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the WordPress plugin 'Request a Quote' versions below 2.3.9. The vulnerability was discovered and publicly disclosed on September 21, 2021. The issue affects the plugin's admin dashboard settings, where certain fields lack proper input sanitization and validation (WPScan).

The vulnerability stems from improper sanitization, validation, and escaping of settings in the admin dashboard. The issue persists even when the unfiltered_html capability is disallowed. The vulnerability was initially fixed in version 2.3.5 but was reintroduced, affecting version 2.3.7. The vulnerability has been assigned a CVSS score of 3.4 (low) and is classified as CWE-79. The affected fields include Base Slug, Maximum files, Maximum file size, and Allowed file extensions in the Attachments Section (WPScan).

When exploited, this vulnerability allows authenticated users to inject malicious scripts that execute when viewing a Quote in the 'All Quotes' dashboard or in the Quote form on the frontend. The stored XSS payload remains persistent in the database and executes whenever the affected pages are accessed (WPScan).

The vulnerability has been fixed in version 2.3.9 of the Request a Quote plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).