CVE-2021-24826: 
WordPress vulnerability analysis and mitigation

CVE-2021-24826 affects the Custom Content Shortcode WordPress plugin versions before 4.0.2. The vulnerability was discovered by Francesco Carlucci and was publicly disclosed on February 2, 2022. This security issue involves improper escaping of custom fields in the plugin's output functionality (WPScan Advisory).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue, specifically CWE-79 (Improper Neutralization of Input During Web Page Generation). It received a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The technical issue stems from the plugin's failure to properly escape custom fields before outputting them (NVD Database).

The vulnerability allows Contributor+ users (in versions < 4.0.1) or Admin+ users (in versions < 4.0.2) to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed. For single site blogs, admin+ users can still exploit this vulnerability by default unless unfilteredhtml is specifically disabled (WPScan Advisory).

The vulnerability has been fixed in version 4.0.2 of the Custom Content Shortcode WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan Advisory).