CVE-2021-24558: 
WordPress vulnerability analysis and mitigation

The Project Status WordPress plugin version 1.6 and below contains a Reflected Cross-Site Scripting (XSS) vulnerability, identified as CVE-2021-24558. The vulnerability was discovered by Shreya Pohekar and was publicly disclosed on July 24, 2021. The issue affects the plugin's post duplication functionality and can be exploited by any authenticated user (CodeVigilant, WPScan).

The vulnerability exists in the pspinduplicatepostsaveasnewpost function of the plugin, which fails to properly sanitize, validate, or escape the 'post' GET parameter before outputting it in an error message when the related post does not exist. The vulnerable code is located in includes/clone/duplicate-post-admin.php on line 187. The vulnerability has been assigned a CVSS score of 7.1 (High) and is classified as CWE-79 (WPScan).

When successfully exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of other users' browsers who view the malicious URL. This can lead to theft of sensitive information, session hijacking, or other malicious actions depending on the context of the executed JavaScript (WPScan).

No official fix has been released for this vulnerability as the plugin has been closed since May 19, 2021. The recommended mitigation is to remove the vulnerable plugin from WordPress installations (CodeVigilant).