CVE-2021-24591: 
NixOS vulnerability analysis and mitigation

The vulnerability CVE-2021-24591 affects the Highlight WordPress plugin versions before 0.9.3. The vulnerability was discovered and publicly disclosed on August 6, 2021. It involves an improper sanitization of the CustomCSS setting in the plugin, which creates a security risk even when certain security measures are in place (WPScan Vuln).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue, specifically an Authenticated Stored XSS vulnerability. It has been assigned CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while the CVSS v2.0 score is 3.5 (Low) (NVD Database).

The vulnerability allows high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. This creates a potential security risk where authenticated users with appropriate privileges could inject malicious scripts into the website (WPScan Vuln).

The vulnerability has been fixed in version 0.9.3 of the Highlight WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan Vuln).