CVE-2021-24960: 
WordPress vulnerability analysis and mitigation

The WordPress File Upload plugin (versions before 4.16.3) and wordpress-file-upload-pro plugin (versions before 4.16.3) contained a security vulnerability identified as CVE-2021-24960. This vulnerability was discovered on February 14, 2022, by security researcher apple502j. The issue affects WordPress installations using these plugin versions and allows users with Contributor-level permissions or higher to potentially conduct Cross-Site Scripting (XSS) attacks (WPScan).

The vulnerability stems from the plugin's file upload functionality, which allows users with Contributor privileges to configure the upload form to accept SVG files. These uploaded SVG files could then be leveraged for Cross-Site Scripting attacks. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows attackers with Contributor-level access to upload malicious SVG files that can execute cross-site scripting attacks when viewed. This could potentially lead to the compromise of other users' sessions, including administrators, who view the malicious SVG file (WPScan).

The vulnerability has been patched in version 4.16.3 of both the WordPress File Upload and wordpress-file-upload-pro plugins. Users are advised to update to this version or later to mitigate the security risk (WPScan, WordPress Plugins).