CVE-2021-24817: 
WordPress vulnerability analysis and mitigation

The Ultimate NoFollow WordPress plugin through version 1.4.8 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24817. The vulnerability was discovered by Quentin VILLAIN (3wsec) and publicly disclosed on November 15, 2021. This security issue affects the plugin's shortcode functionality and impacts WordPress installations using the Ultimate NoFollow plugin version 1.4.8 or earlier (WPScan).

The vulnerability stems from insufficient sanitization and escaping of the href attribute in the plugin's shortcodes. The affected shortcodes include nf, nofo, nofol, nofollow, and relnofollow. The issue has been assigned a CVSS score of 6.8 (medium) and is classified as a Cross-Site Scripting (XSS) vulnerability under CWE-79. The vulnerability can be exploited through the plugin's shortcode functionality, where the href attribute is not properly sanitized before being processed (WPScan).

This vulnerability allows users with privileges as low as contributor level to perform Cross-Site Scripting attacks. When exploited, the XSS payload is triggered when the post is previewed or viewed, potentially affecting administrators reviewing the content. This could lead to unauthorized actions being performed in the context of the victim's browser session (WPScan).

At the time of disclosure, there was no known fix available for this vulnerability. Website administrators using the affected plugin should consider either removing the plugin or implementing additional security controls to restrict access to the shortcode functionality (WPScan).