CVE-2021-25117: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2021-25117 affects the WP-PostRatings WordPress plugin versions before 1.86.1. This security flaw was discovered and publicly disclosed on December 24, 2020, by researcher Park Won Seok. The vulnerability is related to insufficient sanitization of the postratings_image parameter in the plugin's options page (WPScan).

The vulnerability is a Stored Cross-Site Scripting (XSS) issue that exists in the plugin's options page (wp-admin/admin.php?page=wp-postratings/postratings-options.php). The security flaw stems from improper sanitization of the postratings_image parameter. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. It is classified as CWE-79 (Cross-Site Scripting) in the Common Weakness Enumeration system (NVD).

Although the vulnerable page is only accessible to administrators and protected against CSRF attacks, the vulnerability can still be exploited when the unfiltered_html capability is disabled. This could potentially allow for the execution of malicious JavaScript code in the context of the administrator's browser session (WPScan).

The vulnerability has been patched in version 1.86.1 of the WP-PostRatings plugin. Website administrators are advised to update to this version or later to mitigate the security risk (WPScan).