CVE-2021-24884: 
WordPress vulnerability analysis and mitigation

CVE-2021-24884 affects the Formidable Form Builder WordPress plugin versions before 4.09.05. The vulnerability is due to insufficient sanitization of the 'data-frmverify' tag for links in the web-based entry inspection page of affected systems, allowing unauthenticated attackers to perform HTML injection attacks (WPScan, NVD).

The vulnerability is classified as an Unauthenticated Stored Cross-Site Scripting (XSS) with a CVSS v3.1 base score of 9.6 (Critical). The issue stems from improper sanitization of HTML tags in the plugin, specifically affecting the 'data-frmverify' tag. This vulnerability is tracked under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-352 (Cross-Site Request Forgery) (NVD).

A successful exploitation of this vulnerability, especially when combined with CSRF, could allow attackers to perform arbitrary actions with the privileges of the authenticated user. These actions include potential account takeover by changing passwords and the ability to submit malicious code through an authenticated user, potentially leading to Remote Code Execution if the authenticated user has permissions to edit WordPress PHP code (WPScan).

The vulnerability has been patched in version 4.09.05 of the Formidable Form Builder plugin. Users are strongly advised to update to this version or later to mitigate the risk (WPScan, GitHub Patch).