CVE-2021-24874: 
WordPress vulnerability analysis and mitigation

The CVE-2021-24874 vulnerability affects the Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue WordPress plugin versions before 3.1.31. The vulnerability was discovered by ZhongFu Su(JrXnm) of Wuhan University and was publicly disclosed on January 12, 2022 (WPScan).

This vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue, identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability occurs because the plugin fails to properly escape the 'lang' and 'pid' parameters before outputting them back in attributes. The CVSS v3.1 base score is 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability could allow attackers to execute malicious scripts in the context of the victim's browser session. This could potentially lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected user's session (WPScan).

The vulnerability has been fixed in version 3.1.31 of the plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).