CVE-2021-24979: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2021-24979 is a Reflected Cross-Site Scripting (XSS) issue affecting the Paid Memberships Pro WordPress plugin versions 2.6.5 and below. The vulnerability was discovered by ZhongFu Su (JrXnm) from Wuhan University and was publicly disclosed on November 23, 2021 (WPScan).

The vulnerability exists because the plugin fails to properly escape the 's' parameter before outputting it back in an attribute in an admin page. This security flaw has been assigned a CVSS score of 8.8 (high severity) and is classified under CWE-79. The vulnerability specifically affects the discount codes administration page of the plugin (WPScan).

When exploited, this vulnerability could allow attackers to execute arbitrary JavaScript code in the context of the admin user's browser session. This could potentially lead to unauthorized actions being performed on behalf of the administrator or the theft of sensitive information (WPScan).

The vulnerability has been patched in version 2.6.6 of the Paid Memberships Pro plugin. Users are strongly advised to update to this version or later to mitigate the risk. The fix involves proper escaping of the 's' parameter in the discount codes administration page (WordPress Trac).