CVE-2021-24995: 
WordPress vulnerability analysis and mitigation

The HTML5 Responsive FAQ WordPress plugin through version 2.8.5 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24995. The vulnerability was discovered by José Aguilera and publicly disclosed on November 23, 2021. The issue affects the plugin's settings functionality where improper sanitization and escaping of certain parameters could lead to XSS attacks, even when the unfiltered_html capability is disabled (WPScan Advisory).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 Base Score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The issue specifically exists in the plugin's settings where the 'Text size of answer (in pixels)' field is not properly sanitized, allowing for the injection of malicious JavaScript code (WPScan Advisory, NVD).

When exploited, the vulnerability allows high-privileged users to inject malicious JavaScript code that executes in the context of other users' browsers when they visit the affected pages. The XSS payload is triggered in the footer of all frontend pages, potentially affecting all visitors to the website (WPScan Advisory).

As of the last update, there is no known fix available for this vulnerability. Users of the HTML5 Responsive FAQ WordPress plugin version 2.8.5 or earlier should consider either removing the plugin or implementing additional security controls to restrict access to the plugin's settings (WPScan Advisory).