CVE-2021-24792: 
WordPress vulnerability analysis and mitigation

The Shiny Buttons WordPress plugin through version 1.1.0 contains an unauthenticated Stored Cross-Site Scripting vulnerability identified as CVE-2021-24792. The vulnerability was discovered and publicly disclosed on November 15, 2021 (WPScan).

The vulnerability exists due to the plugin lacking proper authorization controls and CSRF protection in the wpbtnsavetemplate function, which is hooked to the init action. Additionally, the plugin fails to properly sanitize and escape template data before outputting it in the admin dashboard. The vulnerability has been assigned a CVSS score of 8.8 (High) and is classified under CWE-79 (WPScan).

This vulnerability allows unauthenticated users to add malicious templates that can execute arbitrary JavaScript code in the context of the admin dashboard when viewed by administrators. This could lead to various attacks including account takeover, site defacement, or other malicious actions performed with administrative privileges (WPScan).

At the time of disclosure, there was no known fix available for this vulnerability. Website administrators using the Shiny Buttons plugin version 1.1.0 or lower should consider removing or disabling the plugin until a security patch is released (WPScan).