CVE-2021-24954: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2021-24954 affects the User Registration, Login Form, User Profile & Membership WordPress plugin (also known as ProfilePress) versions before 3.2.3. The vulnerability was discovered by ZhongFu Su(JrXnm) of Wuhan University and was publicly disclosed on November 15, 2021 (WPScan).

This vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue, identified as CWE-79. The security flaw exists because the plugin fails to properly sanitize and escape the ppressccdata parameter before outputting it back in an attribute of an admin dashboard page. The vulnerability has received varying CVSS scores: CVSS 3.1 Base Score of 6.1 (Medium) according to NVD, and CVSS 8.8 (High) according to WPScan (NVD, WPScan).

The vulnerability allows attackers to execute cross-site scripting attacks through the admin dashboard page. This could potentially lead to unauthorized access to sensitive information and compromise of user interactions within the admin interface (WPScan).

The vulnerability has been fixed in version 3.2.3 of the plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).