CVE-2021-24565: 
WordPress vulnerability analysis and mitigation

The Contact Form 7 Captcha WordPress plugin before version 0.0.9 contains a security vulnerability identified as CVE-2021-24565. The vulnerability was discovered and publicly disclosed on July 26, 2021, affecting the contact-form-7-simple-recaptcha plugin for WordPress (WPScan).

The vulnerability combines two security issues: a Cross-Site Request Forgery (CSRF) vulnerability and a Stored Cross-Site Scripting (XSS) vulnerability. The plugin lacks CSRF protection when saving settings, and additionally, the settings are not properly escaped when output in attributes. The vulnerability has been assigned a CVSS score of 7.1 (High) and is classified under CWE-79 and OWASP Top 10 category A7: Cross-Site Scripting (XSS). All cf7sr_* parameters in the plugin are identified as vulnerable (WPScan).

The vulnerability allows attackers to manipulate plugin settings through logged-in users with manage_options privileges. Additionally, due to the stored XSS component, attackers could potentially inject and execute malicious JavaScript code in the context of the administrator's browser session (WPScan, MITRE).

The vulnerability has been fixed in version 0.0.9 of the Contact Form 7 Captcha plugin. Users are strongly advised to update to this version or later to protect against potential attacks (WPScan).