CVE-2021-24988: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2021-24988 affects the WP RSS Aggregator WordPress plugin versions before 4.19.3. This security flaw was discovered and publicly disclosed on November 29, 2021, by security researcher Krzysztof Zając. The vulnerability is a Stored Cross-Site Scripting (XSS) issue that affects the System Info admin dashboard of the plugin (WPScan).

The vulnerability stems from improper data sanitization and escaping in the System Info admin dashboard. Specifically, the wprssdismissaddon_notice AJAX action lacks proper authorization and CSRF checks. The vulnerability has been assigned a CVSS score of 8.0 (High) and is classified as CWE-79 (Cross-Site Scripting). The issue allows authenticated users, including those with subscriber-level access, to inject malicious payloads through the addon parameter (WPScan).

This vulnerability allows any authenticated user, even with minimal privileges such as subscriber-level access, to store and execute malicious JavaScript code in the admin dashboard. When an administrator visits the affected page (wp-admin/admin.php?page=wpra_tools), the stored malicious code executes in their browser context, potentially leading to unauthorized actions or data theft (WPScan).

The vulnerability has been fixed in version 4.19.3 of the WP RSS Aggregator plugin. Website administrators are advised to update to this version or later to mitigate the security risk (WPScan).