CVE-2021-24513: 
WordPress vulnerability analysis and mitigation

The Form Builder WordPress plugin (versions before 1.9.8.4) contains a Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24513. The vulnerability was discovered on August 9, 2021, and affects the Form Title functionality of the plugin. The issue exists in the contact-form-add plugin component (WPScan).

The vulnerability stems from improper sanitization and escaping of the Form Title field, which allows high-privilege users such as administrators to inject Cross-Site Scripting payloads, even when the unfiltered_html capability is disabled. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, and is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

When exploited, this vulnerability allows authenticated users with high privileges to inject malicious scripts through the Form Title field. These scripts are then executed when viewing or editing the form in the admin dashboard, potentially leading to client-side attacks against administrative users (WPScan).

The vulnerability has been patched in version 1.9.8.4 of the Form Builder plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).