CVE-2021-24561: 
WordPress vulnerability analysis and mitigation

The WP SMS WordPress plugin before version 5.4.13 contains an Authenticated Stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24561. The vulnerability exists due to improper sanitization of the 'wp_group_name' parameter in the 'Groups' page. This security issue was discovered and reported by Muhammad Daffa, and was publicly disclosed on July 26, 2021 (WPScan).

The vulnerability stems from insufficient input sanitization where the plugin fails to properly sanitize the 'wp_group_name' parameter before outputting it back in the 'Groups' page. This allows for the injection of malicious JavaScript code. The issue has been assigned a CVSS score of 5.4 (Medium) under CVSS v3.1 with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated users to store and execute malicious JavaScript code that would run in the context of other users' browsers when they visit the affected Groups page. This could lead to theft of sensitive information, session hijacking, or other client-side attacks against WordPress administrators or other users with access to the Groups page.

The vulnerability has been patched in version 5.4.13 of the WP SMS plugin. Site administrators are strongly advised to update to this version or later. The fix includes proper sanitization of the wp_group_name parameter and additional security improvements (WordPress Plugin Repository).