CVE-2021-24563: 
WordPress vulnerability analysis and mitigation

The Frontend Uploader WordPress plugin version 1.3.2 and below contains an Unauthenticated Stored Cross-Site Scripting vulnerability (CVE-2021-24563). The vulnerability was discovered by Veshraj Ghimire and publicly disclosed on September 21, 2021. The plugin fails to prevent HTML file uploads through its form functionality, which affects WordPress installations using the Frontend Uploader plugin (WPScan).

The vulnerability exists due to the plugin's failure to properly validate file uploads, allowing unauthenticated users to upload malicious HTML files containing JavaScript through the [fu-upload-form] shortcode. When these uploaded files are accessed directly, the malicious JavaScript code is executed. The vulnerability has been assigned a CVSS score of 6.1 (Medium) and is classified under CWE-79 (Cross-Site Scripting) (WPScan).

When exploited, this vulnerability allows attackers to upload and store malicious HTML files containing JavaScript code that executes when accessed by users. This can lead to the theft of sensitive information, session hijacking, or other malicious actions performed in the context of the victim's browser (WPScan).

At the time of disclosure, there was no known fix available for this vulnerability. Website administrators using the Frontend Uploader plugin should consider either removing the plugin or implementing additional security controls to prevent unauthorized file uploads (WPScan).