CVE-2021-24837: 
WordPress vulnerability analysis and mitigation

The Passster WordPress plugin before version 3.5.5.8 contains a Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24837. The vulnerability was publicly disclosed on December 29, 2022, and affects the plugin's shortcode functionality where the area parameter is not properly escaped (WPScan, NVD).

The vulnerability stems from improper escaping of the area parameter in the plugin's shortcode implementation. Users with Contributor-level access or higher can exploit this by injecting malicious JavaScript code through the shortcode parameter. The vulnerability has been assigned a CVSS v3.1 score of 5.4 (MEDIUM) severity. A proof of concept exploit involves using the following shortcode: [passster password="1" area='" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert(/XSS/)//']. The vulnerability is classified under CWE-79 and falls into the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan).

The vulnerability allows users with Contributor-level permissions or higher to perform Cross-Site Scripting attacks against other users of the WordPress site. This could potentially lead to the execution of arbitrary JavaScript code in users' browsers, potentially compromising user sessions or performing unauthorized actions on behalf of other users (NVD).

The vulnerability has been fixed in Passster version 3.5.5.8. Site administrators are strongly advised to update their Passster plugin to this version or newer to mitigate the risk (WPScan).