CVE-2021-24882: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2021-24882 affects the Slideshow Gallery WordPress plugin versions before 1.7.4. The vulnerability was discovered by Tyler Miller and was publicly disclosed on October 25, 2021. The issue exists in the plugin's handling of Slide 'Title', 'Description', and Gallery 'Title' fields, which lack proper sanitization and escaping mechanisms (WPScan).

This vulnerability is classified as a Cross-Site Scripting (XSS) issue, specifically identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has received a CVSS v3.1 base score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, and a CVSS v2.0 score of 3.5 (LOW) (NVD).

The vulnerability allows high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. The XSS can be triggered both in the backend (Title field, in the Slide/Gallery list pages) and frontend (in pages/posts where the Slide/Gallery is embedded) (WPScan).

The vulnerability has been fixed in version 1.7.4 of the Slideshow Gallery plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).