CVE-2021-36873: 
WordPress vulnerability analysis and mitigation

The vulnerability identified as CVE-2021-36873 is an Authenticated Persistent Cross-Site Scripting (XSS) vulnerability affecting WordPress iQ Block Country plugin versions 1.2.11 and earlier. The vulnerability specifically exists in the '&blockcountry_blockmessage' parameter. This security issue was discovered and reported in July 2021, with a fix released in version 1.2.12 (Patchstack, WordPress Plugin).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue, specifically of type CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability exists due to improper escaping of the blockcountry_blockmessage setting in the plugin (NVD, Patchstack).

The vulnerability allows authenticated attackers to inject malicious scripts into the website, which can then be executed when other users visit the affected pages. This could lead to potential theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected users' sessions (Patchstack).

The recommended mitigation is to update the iQ Block Country plugin to version 1.2.12 or later, which contains the security fix for this vulnerability. This version was released shortly after the vulnerability was discovered (WordPress Plugin, Patchstack).