CVE-2021-24944: 
WordPress vulnerability analysis and mitigation

CVE-2021-24944 affects the Custom Dashboard & Login Page WordPress plugin versions before 7.0. The vulnerability was discovered and publicly disclosed on December 30, 2021. This security issue impacts WordPress installations using the affected plugin versions, specifically the ag-custom-admin plugin (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The plugin fails to properly sanitize certain settings, enabling high-privilege users to execute XSS attacks even when the unfiltered_html capability is disabled. The CVSS v3.1 base score is 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows attackers with high privileges to inject malicious scripts through the plugin's settings, specifically in the 'Change version text' or 'Change footer text' settings. The XSS payload gets triggered on all admin pages, potentially affecting administrative users accessing the WordPress dashboard (WPScan).

The vulnerability has been fixed in version 7.0 of the Custom Dashboard & Login Page plugin. Users are advised to update to this version or later to mitigate the risk. For installations where immediate updating is not possible, administrators should be cautious with high-privilege user access and monitor for potential exploitation attempts (WPScan).