CVE-2021-24528: 
WordPress vulnerability analysis and mitigation

The FluentSMTP WordPress plugin before version 2.0.1 contains a stored cross-site scripting (XSS) vulnerability identified as CVE-2021-24528. The vulnerability was discovered and publicly disclosed on July 29, 2021. This security issue affects the plugin's SMTP settings functionality, where parameters are not properly sanitized before storage in the database or escaped before output (WPScan Advisory).

The vulnerability stems from improper input validation and output encoding in the FluentSMTP plugin's settings management functionality. It has been assigned CWE-79 (Improper Neutralization of Input During Web Page Generation) classification. The severity is rated as MEDIUM with a CVSS v3.1 base score of 5.4 (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) (NVD).

The vulnerability allows authenticated users with plugin management capabilities to store and execute malicious JavaScript code in the plugin's SMTP settings. When other administrative users view these settings, the stored malicious code executes in their browsers, potentially leading to unauthorized actions or data theft (WPScan Advisory).

The vulnerability has been fixed in FluentSMTP version 2.0.1. Users are strongly advised to update to this version or later to mitigate the security risk (WPScan Advisory).