CVE-2021-24672: 
WordPress vulnerability analysis and mitigation

The One User Avatar WordPress plugin before version 2.3.7 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24672. The vulnerability was discovered and publicly disclosed on September 20, 2021. This security issue affects the plugin's shortcode functionality and impacts WordPress installations using One User Avatar versions prior to 2.3.7 (WPScan).

The vulnerability stems from improper escaping of the link and target attributes in the plugin's shortcode implementation. The CVSS v3.1 score for this vulnerability is 5.4 (Medium), while the CVSS v2.0 score is 3.5 (Low). The vulnerability is classified under CWE-79 and falls into the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan, NVD Results).

The vulnerability allows users with privileges as low as Contributor to perform Stored Cross-Site Scripting attacks. This means that malicious actors with minimal access rights can inject and store malicious scripts that execute when other users view the affected content (WPScan).

The vulnerability has been fixed in version 2.3.7 of the One User Avatar plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).