CVE-2021-24992: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2021-24992 affects the WordPress plugin Buttonizer - Smart Floating Action Button versions prior to 2.5.5. This is a Stored Cross-Site Scripting (XSS) vulnerability that was publicly disclosed on November 29, 2021. The vulnerability affects users with administrative privileges and was discovered by security researcher Dipak Panchal (WPScan).

The vulnerability exists because the plugin does not properly sanitize and escape certain parameters before outputting them in attributes and page content. This security flaw persists even when the unfiltered_html capability is disallowed. The vulnerability has been assigned a CVSS score of 3.8 (Low) and is classified as CWE-79: Cross-Site Scripting (WPScan).

The vulnerability allows high-privilege users to perform Cross-Site Scripting attacks. The XSS payload can be triggered in two ways: without user interaction when viewing a page with an affected button for the label field XSS, and upon clicking for the URL-based XSS (WPScan).

The vulnerability has been fixed in version 2.5.5 of the Buttonizer plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).