CVE-2021-36845: 
WordPress vulnerability analysis and mitigation

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities were discovered in YITH Maintenance Mode WordPress plugin versions <= 1.3.8. The vulnerability was disclosed on September 23, 2021, and affected multiple parameters across different tabs in the plugin's interface (NVD, Patchstack).

The vulnerability affects 46 different parameters that were missed during the patching of version 1.3.7 to 1.3.8. The issue spans across multiple tabs including Newsletter, General, Background, Logo, and Socials sections. For example, in the Newsletter tab, the &yith_maintenance_newsletter_submit_label parameter is vulnerable when the payload starts with a single quote symbol. The vulnerability has a CVSS v3.1 base score of 6.9 (Medium) according to Patchstack, while NVD rates it at 4.8 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability could allow authenticated attackers to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site (Patchstack).

The vulnerability was fixed in version 1.4.0 of the YITH Maintenance Mode plugin. Users are advised to update to version 1.4.0 or later to remove the vulnerability. The fix includes code refactoring to address the XSS issues (WordPress).