CVE-2021-24972: 
WordPress vulnerability analysis and mitigation

The Pixel Cat WordPress plugin (also known as facebook-conversion-pixel) before version 2.6.3 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered by ZhongFu Su(JrXnm) of Wuhan University and was publicly disclosed on November 15, 2021. The issue affects the plugin's settings functionality where certain fields are not properly escaped (WPScan).

The vulnerability exists because the plugin does not properly escape some of its settings, specifically in the Google Product Category setting. This allows for stored XSS attacks even when the unfiltered_html capability is disallowed. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Cross-Site Scripting (AttackerKB).

When exploited, this vulnerability allows high-privilege users to perform Cross-Site Scripting attacks. The impact is considered low to medium as it requires high privileges to exploit and user interaction to trigger the payload. The vulnerability affects confidentiality and integrity at a low level, with no impact on availability (AttackerKB).

The vulnerability has been fixed in version 2.6.3 of the Pixel Cat plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).