CVE-2021-24592: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2021-24592 affects the Sitewide Notice WP WordPress plugin versions below 2.3. This security flaw was discovered and reported by Asif Nawaz Minhas, and was publicly disclosed on August 2, 2021. The vulnerability is related to improper sanitization of settings in the plugin (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, identified as CWE-79. The plugin fails to properly sanitize its settings before outputting them in frontend pages, which creates a security weakness. The CVSS score for this vulnerability is rated as 3.4 (low severity). The vulnerability allows high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (WPScan).

When exploited, this vulnerability allows attackers with high privileges to inject malicious JavaScript code through the Message setting of the plugin, which will then be triggered on all frontend pages of the affected WordPress site (WPScan).

The vulnerability has been fixed in version 2.3 of the Sitewide Notice WP plugin. Users are advised to update their plugin to this version or later to mitigate the security risk (WPScan).