CVE-2021-24975: 
WordPress vulnerability analysis and mitigation

The NextScripts: Social Networks Auto-Poster WordPress plugin before version 4.3.24 contains an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24975. The vulnerability was discovered and publicly disclosed on January 3, 2022. This security issue affects the plugin's admin dashboard functionality, specifically in how it handles logged requests (WPScan).

The vulnerability stems from improper sanitization and escaping of logged requests before they are output in the admin dashboard. It is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has received a CVSS v3.1 base score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility with low attack complexity and no privileges required (NVD).

The vulnerability allows attackers to execute arbitrary JavaScript code in the context of the admin dashboard. When exploited, it can lead to the compromise of sensitive information and potential manipulation of the admin interface. The attack specifically targets the Log/History dashboard (/wp-admin/admin.php?page=nxs-log) where the malicious payload gets triggered (WPScan).

The vulnerability has been patched in version 4.3.24 of the NextScripts: Social Networks Auto-Poster plugin. Users are strongly advised to update to this version or later to protect against potential attacks. The fix includes proper sanitization and escaping of logged requests before they are displayed in the admin dashboard (WPScan).