CVE-2021-24670: 
WordPress vulnerability analysis and mitigation

The CoolClock WordPress plugin before version 4.3.5 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24670. The vulnerability was discovered by researcher apple502j and publicly disclosed on August 30, 2021. The security issue affects the plugin's shortcode functionality, specifically impacting WordPress installations running CoolClock versions prior to 4.3.5 (WPScan).

The vulnerability stems from improper escaping of shortcode attributes in the CoolClock plugin. The issue has been assigned CWE-79 (Improper Neutralization of Input During Web Page Generation) and received a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The technical assessment indicates that the vulnerability requires low attack complexity but does need user interaction to be exploited (NVD).

The vulnerability allows users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. When successfully exploited, attackers can inject and execute arbitrary JavaScript code in the context of other users' browsers who view the affected pages (WPScan).

The vulnerability has been fixed in CoolClock version 4.3.5. Website administrators running affected versions should update to version 4.3.5 or later to mitigate this security risk (WPScan).