CVE-2021-24941: 
WordPress vulnerability analysis and mitigation

CVE-2021-24941 is a reflected Cross-Site Scripting (XSS) vulnerability discovered in the Icegram WordPress plugin versions below 2.0.5. The vulnerability was identified by ZhongFu Su(JrXnm) of Wuhan University and was publicly disclosed on November 22, 2021 (WPScan).

The vulnerability stems from improper input sanitization in the Icegram plugin. Specifically, the plugin fails to sanitize and escape the messageid parameter of the getmessageactionrow AJAX action before outputting it back in an attribute. This security flaw has been assigned a CVSS score of 4.7 (medium severity) and is classified under CWE-79, which relates to improper neutralization of input during web page generation (WPScan).

When exploited, this vulnerability could allow attackers to execute cross-site scripting attacks. The XSS payload gets triggered when users move their mouse over specific text in the response, potentially leading to the execution of malicious JavaScript code in users' browsers (WPScan).

The vulnerability has been fixed in Icegram version 2.0.5. Users are advised to update their Icegram plugin to this version or later to mitigate the risk (WPScan).