CVE-2021-38316: 
WordPress vulnerability analysis and mitigation

The WP Academic People List WordPress plugin (versions up to and including 0.4.1) was identified with a Reflected Cross-Site Scripting vulnerability (CVE-2021-38316). The vulnerability was discovered and reported by Wordfence, with the initial public disclosure occurring on September 8, 2021. The security flaw exists in the category_name parameter within the admin-panel.php file (WPScan, NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and received a CVSS v3.1 base score of 6.1 (Medium). The technical assessment indicates that the vulnerability has a Network attack vector (AV:N), Low attack complexity (AC:L), requires no privileges (PR:N), and needs user interaction (UI:R) with Changed scope (S:C). The impact metrics show Low confidentiality impact (C:L) and Low integrity impact (I:L) with No availability impact (A:N) (NVD).

The vulnerability allows attackers to inject arbitrary web scripts through the category_name parameter, potentially leading to the execution of malicious JavaScript code in users' browsers. This could result in session hijacking, defacement, or theft of sensitive browser data when administrators access the affected admin panel (WPScan).

Users of the WP Academic People List plugin should upgrade to a version newer than 0.4.1 if available. If an upgrade is not possible, it is recommended to remove or disable the plugin to mitigate the risk (NVD).