CVE-2021-24535: 
WordPress vulnerability analysis and mitigation

The Light Messages WordPress plugin through version 1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability that can lead to Stored Cross-Site Scripting (XSS). The vulnerability was discovered by Vinay Bhuria and publicly disclosed on July 19, 2021 (WPScan).

The vulnerability exists due to the plugin lacking CSRF protection when updating settings and insufficient sanitization of the Message Content field, even when unfiltered_html is disallowed. The vulnerability has been assigned a CVSS score of 7.1 (High) and is classified under CWE-352. The XSS payload can be triggered either in the backend only (in the plugin's settings) or both frontend and backend depending on the configured options (WPScan).

An attacker could exploit this vulnerability to make a logged-in administrator update settings to arbitrary values and inject malicious Cross-Site Scripting payloads into the Message Content. These payloads could then be executed when users access either the backend administrative interface or both frontend and backend areas of the website (WPScan).

At the time of disclosure, there was no known fix available for this vulnerability. Site administrators using the Light Messages plugin version 1.0 or below should consider removing or disabling the plugin until a security patch is released (WPScan).