CVE-2021-24880: 
WordPress vulnerability analysis and mitigation

The SupportCandy WordPress plugin before version 2.2.7 contains a Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24880. The vulnerability was discovered by researcher apple502j and was publicly disclosed on January 5, 2022. This security issue affects the plugin's shortcode functionality, specifically impacting WordPress installations running SupportCandy versions prior to 2.2.7 (WPScan).

The vulnerability stems from improper validation and escaping of the page attribute in the plugin's shortcode implementation. The issue has been assigned a CVSS score of 6.8 (medium severity) and is classified under CWE-79. A proof of concept exploit has been documented using the following shortcode: [supportcandy page="init';alert(/XSS/)//"] (WPScan).

The vulnerability allows users with privileges as low as Contributor level to perform Cross-Site Scripting attacks against the website. This creates a significant security risk as it enables malicious actors with minimal access rights to inject and execute arbitrary JavaScript code in users' browsers (WPScan).

The vulnerability has been patched in SupportCandy version 2.2.7. Website administrators running affected versions should update to version 2.2.7 or later to mitigate this security risk (WPScan).