CVE-2021-24994: 
WordPress vulnerability analysis and mitigation

The CVE-2021-24994 affects the WPvivid Backup and Migration WordPress plugin versions before 0.9.69. This vulnerability was discovered and publicly published on January 31, 2022. The security flaw exists in the plugin's remote storage functionality, specifically affecting the authentication and input sanitization mechanisms (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 6.1 (MEDIUM). The technical root cause involves two main issues: lack of proper authorization when adding remote storages and insufficient sanitization and escaping of parameters from unauthenticated requests before output in the admin page. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD, WPScan).

When exploited, this vulnerability allows unauthenticated attackers to store malicious JavaScript code that executes when administrators access the plugin's admin page. This can lead to potential compromise of administrator sessions and unauthorized actions performed in the context of the administrator's account (WPScan).

The vulnerability has been fixed in version 0.9.69 of the WPvivid Backup and Migration plugin. Users are strongly advised to update to this version or later to mitigate the security risk (WPScan).