CVE-2021-24545: 
WordPress vulnerability analysis and mitigation

The WP HTML Author Bio WordPress plugin through version 1.2.0 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24545. The vulnerability was discovered and disclosed on September 21, 2021. This security issue affects WordPress installations using the WP HTML Author Bio plugin versions 1.2.0 and earlier (WPScan).

The vulnerability stems from insufficient sanitization of HTML content in user biographies. The plugin fails to properly sanitize HTML allowed in the Bio field of users, which enables the injection of malicious JavaScript code. The vulnerability has been assigned a CVSS score of 5.4 (medium severity) and is classified as CWE-79: Cross-Site Scripting (WPScan, NVD).

When exploited, this vulnerability allows users with author-level privileges or higher to inject malicious JavaScript code into their biographical information. This injected code is then executed when any user views a post created by the author with the compromised biography. The impact is particularly severe if an administrator views the affected posts, as it could potentially lead to privilege escalation (WPScan).

At the time of disclosure, there was no known fix available for this vulnerability. Website administrators using the affected plugin should consider either removing the plugin or implementing additional security controls to restrict access to the biographical information field (WPScan).