CVE-2021-24953: 
WordPress vulnerability analysis and mitigation

The Advanced iFrame WordPress plugin before version 2022 contains a Reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24953. The vulnerability was discovered by ZhongFu Su(JrXnm) of Wuhan University and was publicly disclosed on February 2, 2022. The issue affects the plugin's admin page functionality (WPScan).

The vulnerability stems from improper sanitization and escaping of the aiconfigid parameter in the admin page. When this parameter is processed, it is output back without proper security controls, enabling a reflected XSS attack. The vulnerability has been assigned a CVSS score of 6.1 (medium severity) and is classified under CWE-79 (Cross-Site Scripting) (WPScan).

The vulnerability allows attackers to execute malicious JavaScript code in the context of the admin page, potentially leading to unauthorized actions, data theft, or session hijacking when an administrator accesses the affected page (WPScan).

The vulnerability has been fixed in version 2022 of the Advanced iFrame plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).