CVE-2021-25022: 
WordPress vulnerability analysis and mitigation

The UpdraftPlus WordPress Backup Plugin before version 1.16.66 contains a Reflected Cross-Site Scripting vulnerability, identified as CVE-2021-25022. The vulnerability was discovered by Krzysztof Zając and publicly disclosed on December 6, 2021. The issue affects the admin pages of WordPress installations using the vulnerable plugin versions (WPScan).

The vulnerability stems from improper sanitization and escaping of the 'backuptimestamp' and 'jobid' parameters before they are output in admin pages. This security flaw has been assigned a CVSS score of 7.5 (High), indicating significant severity. The vulnerability can be exploited through specifically crafted URLs targeting the plugin's admin pages (WPScan).

If successfully exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of the admin user's browser session. This could potentially lead to theft of sensitive information, session hijacking, or other malicious actions performed with the administrator's privileges (WPScan).

The vulnerability has been patched in UpdraftPlus version 1.16.66. Website administrators are strongly advised to update to this version or later to protect against this security issue. The fix was implemented through changes documented in the WordPress plugin repository (WordPress Plugin, WordPress Update).