CVE-2021-24618: 
WordPress vulnerability analysis and mitigation

CVE-2021-24618 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the WordPress plugin Donate With QRCode versions below 1.4.5. The vulnerability was discovered and reported by yangshengcheng@webray.com.cn, and was publicly disclosed on August 19, 2021 (WPScan).

The vulnerability stems from improper sanitization and escaping of the QRCode Image setting in the plugin. The issue is compounded by the absence of CSRF and capability checks when saving settings. The vulnerability has been assigned a CVSS score of 6.4 (medium) and is classified under CWE-79. In versions prior to 1.4.4, any authenticated user (including subscribers) or unauthenticated users via CSRF could exploit this vulnerability. Version 1.4.4 added capability checks and some sanitization, but the affected parameter remained vulnerable (WPScan).

When exploited, this vulnerability allows attackers to inject malicious scripts that will be triggered in all frontend posts. The stored XSS payload can execute arbitrary JavaScript code in visitors' browsers, potentially leading to session hijacking, credential theft, or other malicious actions (WPScan).

The vulnerability was fully patched in version 1.4.5 of the Donate With QRCode plugin, which properly sanitizes the affected parameter. Users are strongly advised to update to this version or later. However, it should be noted that CSRF protection was still missing in this release and was addressed separately (WPScan).