CVE-2021-24587: 
WordPress vulnerability analysis and mitigation

The Splash Header WordPress plugin before version 1.20.8 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24587. The vulnerability was discovered in July 2021 and affects authenticated users who have access to the plugin's settings in the WordPress admin dashboard. The issue stems from insufficient sanitization and escaping of certain plugin settings when they are output in the admin dashboard (WPScan).

The vulnerability is classified as an authenticated Stored Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 5.4 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is tracked as CWE-79 (Improper Neutralization of Input During Web Page Generation). The issue specifically occurs in the 'Note title' and 'Note message' settings of the plugin, where unsanitized input can be stored and later executed when viewing the admin dashboard (NVD).

When exploited, this vulnerability allows authenticated users to store and execute malicious JavaScript code in the WordPress admin dashboard. This could potentially lead to unauthorized actions being performed in the context of other admin users who view the affected pages, potentially compromising the security of the WordPress installation (WPScan).

The vulnerability has been fixed in version 1.20.8 of the Splash Header plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).