CVE-2021-24855: 
WordPress vulnerability analysis and mitigation

The Display Post Metadata WordPress plugin (versions before 1.5.0) contained a Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24855. The vulnerability was discovered by Francesco Carlucci and publicly disclosed on November 15, 2021. The plugin, which adds a shortcode functionality to print out custom fields, failed to properly sanitize or escape content, making it susceptible to XSS attacks (WPScan Vuln).

The vulnerability received a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The security flaw was classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The technical issue stems from the plugin's shortcode functionality that prints custom fields without proper content sanitization or escaping (NVD Database).

The vulnerability allows users with roles as low as Contributor to perform Cross-Site Scripting attacks. When successfully exploited, the XSS payload would be triggered when any user views or previews the affected post or page, potentially leading to the execution of malicious JavaScript code in the context of the victim's browser (WPScan Vuln).

The vulnerability was fixed in version 1.5.0 of the Display Post Metadata plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan Vuln).