CVE-2021-24559: 
WordPress vulnerability analysis and mitigation

The Qyrr WordPress plugin before version 0.7 contains a Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered in 2021 and assigned identifier CVE-2021-24559. The issue affects the QR code generation functionality in the plugin, specifically impacting installations of Qyrr plugin versions prior to 0.7 (WPScan).

The vulnerability stems from two main issues: First, the plugin fails to properly escape the data-uri of the QR Code when outputting it in a src attribute. Second, the data_uri_to_meta AJAX action is accessible to all authenticated users and only implements a CSRF check, with the nonce being available to users with Contributor role or higher. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The weakness is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

The vulnerability allows authenticated users with Contributor role or higher to perform Stored Cross-Site Scripting attacks. Attackers can set malicious data-uri values in arbitrary QR Code posts, which when viewed by other users, could execute arbitrary JavaScript code in their browsers (WPScan).

The vulnerability has been fixed in version 0.7 of the Qyrr WordPress plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).