CVE-2021-24923: 
WordPress vulnerability analysis and mitigation

The Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue WordPress plugin before version 3.1.25 contains a Reflected Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered by ZhongFu Su(JrXnm) of Wuhan University and was publicly disclosed on December 23, 2021. The issue stems from the plugin's failure to properly escape the sib-statistics-date parameter before outputting it back in an attribute (WPScan).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 6.1 (Medium). The attack vector is network-based (AV:N), requires low attack complexity (AC:L), needs no privileges (PR:N), requires user interaction (UI:R), and has a changed scope (S:C) with low impact on both confidentiality and integrity (C:L, I:L) and no impact on availability (A:N) (NVD).

The vulnerability allows attackers to execute malicious scripts in the context of the victim's browser session. This could potentially lead to theft of sensitive information, session hijacking, or other client-side attacks. The impact is categorized as low for both confidentiality and integrity, with no impact on system availability (AttackerKB).

The vulnerability has been fixed in version 3.1.25 of the Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue WordPress plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).