CVE-2021-24503: 
WordPress vulnerability analysis and mitigation

The Popular Brand Icons – Simple Icons WordPress plugin before version 2.7.8 contains a Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24503. The vulnerability was discovered on July 5, 2021, and affects the plugin's shortcode parameters functionality. The issue stems from insufficient sanitization and validation of parameters such as 'color', 'size', and 'class' (WPScan).

The vulnerability is classified as a Stored XSS (CWE-79) with a CVSS v3.1 base score of 5.4 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The issue allows users with roles as low as Contributor to inject malicious cross-site scripting payloads through shortcode parameters. The vulnerability can be exploited even when the blog disallows the unfiltered_html capability (NVD).

The vulnerability allows attackers to inject malicious scripts that execute in users' browsers when viewing affected posts. While contributors require admin approval for their posts to trigger the XSS, users with higher privileges (such as editors) can exploit this vulnerability without approval. This could lead to theft of sensitive information or manipulation of website content (WPScan).

The vulnerability has been fixed in version 2.7.8 of the Popular Brand Icons – Simple Icons WordPress plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).