CVE-2021-24646: 
WordPress vulnerability analysis and mitigation

The Booking.com Banner Creator WordPress plugin versions before 1.4.3 contains a Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24646. The vulnerability was discovered and publicly disclosed on October 5, 2021, by security researcher Asif Nawaz Minhas. This security issue affects the banner creation functionality of the plugin, specifically impacting WordPress installations using the bookingcom-banner-creator plugin (WPScan).

The vulnerability stems from improper input sanitization when creating banners. The issue specifically affects the 'Banner Copy' form field in the plugin's banner creation interface. The vulnerability has been assigned a CVSS score of 3.5 (low severity) and is classified as CWE-79. The security flaw allows for stored XSS attacks, which can be executed even when the unfiltered_html capability is disabled on the WordPress installation (WPScan).

When exploited, this vulnerability allows high-privilege users to perform Cross-Site Scripting attacks. The impact is particularly notable because these attacks can be executed even when the unfiltered_html capability is disallowed, potentially compromising the security of the WordPress installation (CVE Mitre).

The vulnerability has been patched in version 1.4.3 of the Booking.com Banner Creator plugin. Users are advised to update their installations to this version or later to mitigate the security risk (WPScan).