CVE-2021-36832: 
WordPress vulnerability analysis and mitigation

WordPress Icegram plugin versions 2.0.2 and below contained a stored Cross-Site Scripting (XSS) vulnerability in the "Headline" (&message_data[16][headline]) input field. The vulnerability was discovered on July 19, 2021, and was assigned CVE-2021-36832. The issue affected the Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA WordPress plugin (WordPress Plugin, Patchstack Advisory).

The vulnerability was classified as a Cross-Site Scripting (XSS) issue, specifically CWE-79 (Improper Neutralization of Input During Web Page Generation). It received a CVSS v3.1 base score of 4.8 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N from Patchstack, and 5.4 (Medium) from NVD with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD Details).

The vulnerability could allow high-privilege users to perform Cross-Site Scripting attacks by injecting malicious scripts through the headline parameter. If exploited, attackers could potentially execute arbitrary JavaScript code in the context of other users' browsers who view the affected pages (WPScan).

The vulnerability was patched in version 2.0.3 of the Icegram plugin. Users were advised to update to this version or later to resolve the security issue. The fix included improved security related to XSS and proper input sanitization (WordPress Plugin).