CVE-2021-24516: 
WordPress vulnerability analysis and mitigation

The PlanSo Forms WordPress plugin through version 2.6.3 contains an Authenticated Stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24516. The vulnerability was discovered on July 12th, 2021, and publicly disclosed on September 15th, 2021, after unsuccessful attempts to reach the vendor (WPScan).

The vulnerability exists because the plugin fails to properly escape the Form title before outputting it in attributes. This remains possible even when the unfiltered_html capability is disallowed. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, and is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability allows high-privilege users such as administrators to inject and execute malicious JavaScript code through the Form title field. When other users view the Form List page or related Form pages, the stored XSS payload gets triggered, potentially leading to unauthorized actions being performed in their browser context (WPScan).

No official fix has been released for this vulnerability as of the last update. Users are advised to exercise caution when using the PlanSo Forms plugin versions 2.6.3 and earlier (WPScan).