CVE-2021-24797: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2021-24797 affects the Tickera WordPress plugin versions before 3.4.8.3. This security flaw was discovered by Ajit Bhatta and publicly disclosed on November 23, 2021. The vulnerability exists in the plugin's handling of Name fields for booked Events in the Orders admin dashboard (WPScan).

The vulnerability is classified as an Unauthenticated Stored Cross-Site Scripting (XSS) issue, identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The technical issue stems from improper sanitization and escaping of the Name fields in booked Events before they are output in the Orders admin dashboard (NVD).

The vulnerability allows unauthenticated users to perform Cross-Site Scripting attacks against administrators. When exploited, the XSS payload is triggered when administrators view the Orders page in the admin dashboard at /wp-admin/edit.php?posttype=tcorders (WPScan).

The vulnerability has been fixed in version 3.4.8.3 of the Tickera WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).