CVE-2021-24810: 
WordPress vulnerability analysis and mitigation

The WP Event Manager WordPress plugin (versions before 3.1.23) contains a Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24810. The vulnerability was discovered by Huy Nguyen and publicly disclosed on February 14, 2022. The security flaw exists in the Field Editor settings functionality where certain fields are not properly escaped during output (WPScan Advisory).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, identified under CWE-79 (Improper Neutralization of Input During Web Page Generation). It received a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The technical issue stems from insufficient escaping of Field Editor settings when they are output, which can be exploited even when the unfiltered_html capability is disabled (NVD).

The vulnerability allows high-privilege users to perform Cross-Site Scripting attacks on the affected WordPress installations. When successfully exploited, it could lead to the execution of arbitrary JavaScript code in the context of other users' browsers who access the affected pages (WPScan Advisory).

The vulnerability has been fixed in WP Event Manager version 3.1.23. Users are advised to update to this version or later to mitigate the security risk (WPScan Advisory).