CVE-2021-24685: 
WordPress vulnerability analysis and mitigation

The Flat Preloader WordPress plugin before version 1.5.4 contains a security vulnerability identified as CVE-2021-24685. The vulnerability was discovered and publicly disclosed on September 28, 2021, by researcher apple502j. This security issue affects the plugin's settings functionality, where it fails to implement proper nonce checks during settings updates and lacks adequate sanitization and escaping of input (WPScan Advisory).

The vulnerability combines Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS) issues. The CVSS v3.1 base score is 5.4 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N. The vulnerability is tracked under both CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-352 (Cross-Site Request Forgery). While the CSRF component was addressed in version 1.5.1, additional sanitization improvements were implemented through versions 1.5.2 to 1.5.4 (NVD, WPScan Advisory).

The vulnerability allows attackers to manipulate a logged-in administrator into changing plugin settings with malicious Cross-Site Scripting payloads. These payloads can be triggered either in the frontend or backend of the WordPress installation, depending on the specific payload used (WPScan Advisory).

The vulnerability has been fully patched in version 1.5.4 of the Flat Preloader plugin. While the CSRF component was initially addressed in version 1.5.1, additional sanitization improvements were implemented through versions 1.5.2 to 1.5.4. Users are strongly advised to update to version 1.5.4 or later to ensure complete protection (WPScan Advisory).