CVE-2021-25015: 
WordPress vulnerability analysis and mitigation

The myCred WordPress plugin before version 2.4 contains a Reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-25015. The vulnerability was discovered by Krzysztof Zając and publicly disclosed on December 27, 2021. The issue affects the history dashboard page of the plugin where user input from search queries is not properly sanitized and escaped before being output back to users (WPScan).

The vulnerability stems from improper neutralization of input during web page generation (CWE-79) in the history dashboard page. The CVSS v3.1 base score is 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that the vulnerability can be exploited remotely without authentication but requires user interaction (NVD).

If successfully exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of the victim's browser session. This could lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected user's session (WPScan).

The vulnerability has been patched in myCred version 2.4. Users are strongly advised to upgrade to this version or later to mitigate the risk. The fix involves proper sanitization and escaping of search query parameters in the history dashboard page (WordPress Plugins).