CVE-2021-24904: 
WordPress vulnerability analysis and mitigation

The Mortgage Calculators WP WordPress plugin before version 1.56 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24904. The vulnerability was discovered in January 2022 and affects the color setting functionality of the calculator's background. This security issue impacts high-privilege users who can perform stored XSS attacks even when the unfiltered_html capability is disabled (WPScan).

The vulnerability stems from improper sanitization of the color setting input in the calculator's background. The issue has been assigned a CVSS score of 3.4 (low severity) and is classified under CWE-79 (Cross-Site Scripting). The vulnerability can be exploited through the plugin's settings page under the Calculator menu item, where malicious JavaScript code can be injected into the color selection input (WPScan).

When successfully exploited, this vulnerability allows high-privilege users to store and execute malicious JavaScript code that will be triggered when other users view pages containing the affected calculator. This could potentially lead to unauthorized actions being performed in the context of the victim's browser session (WPScan).

The vulnerability has been patched in version 1.56 of the Mortgage Calculators WP plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).