CVE-2021-24983: 
WordPress vulnerability analysis and mitigation

The Asset CleanUp: Page Speed Booster WordPress plugin (versions before 1.3.8.5) contains a Reflected Cross-Site Scripting vulnerability identified as CVE-2021-24983. The vulnerability was discovered by ZhongFu Su(JrXnm) of Wuhan University and was publicly disclosed on January 3, 2022. The issue affects the WordPress plugin wp-asset-clean-up and specifically impacts admin users who have access to certain AJAX actions (WPScan).

The vulnerability stems from improper sanitization and escaping of POSTed parameters sent to the wpassetcleanupfetchactivepluginsicons AJAX action. This security flaw has been classified as a Cross-Site Scripting (XSS) vulnerability, categorized under CWE-79, with a CVSS score of 7.5 (high severity). The vulnerability specifically affects admin users who have access to the AJAX action functionality (WPScan).

The vulnerability allows for Reflected Cross-Site Scripting attacks against administrative users of WordPress installations running the affected versions of the Asset CleanUp plugin. This could potentially lead to unauthorized actions being performed in the context of the administrator's session (WPScan).

The vulnerability has been fixed in version 1.3.8.5 of the Asset CleanUp plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).