CVE-2021-24574: 
WordPress vulnerability analysis and mitigation

The Simple Banner WordPress plugin before version 2.10.4 contains a Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24574. The vulnerability was discovered and publicly disclosed on July 26, 2021. This security issue affects the plugin's settings functionality, specifically impacting installations of Simple Banner versions prior to 2.10.4 (WPScan, NVD).

The vulnerability stems from improper sanitization and escaping of one of the plugin's settings. It is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 4.8 (Medium), with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability specifically affects the Simple Banner Text setting of the plugin, where XSS payloads can be injected (NVD).

The vulnerability allows high-privilege users such as administrators to execute Cross-Site Scripting payloads even when the unfiltered_html capability is disallowed. When exploited, the XSS payload can be triggered both in the plugin's settings page and on any frontend page where the banner is displayed (WPScan).

The vulnerability has been fixed in version 2.10.4 of the Simple Banner plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).