CVE-2021-38328: 
WordPress vulnerability analysis and mitigation

The Notices WordPress plugin (versions up to and including 6.1) was identified with a Reflected Cross-Site Scripting vulnerability, tracked as CVE-2021-38328. The vulnerability was discovered and reported by Wordfence on August 9, 2021, and was publicly disclosed on September 10, 2021. The security flaw exists in the ~/notices.php file where an unvalidated $SERVER["PHPSELF"] value is reflected back to users (NVD, CVE Mitre).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v3.1 base score of 6.1 (Medium). The technical assessment indicates that the vulnerability has a Network attack vector (AV:N), Low attack complexity (AC:L), requires No privileges (PR:N), and User interaction (UI:R). The scope is Changed (S:C) with Low confidentiality and integrity impacts (C:L, I:L) and No availability impact (A:N) (NVD).

The vulnerability allows attackers to inject arbitrary web scripts through the reflected $SERVER["PHPSELF"] value. This could potentially lead to the execution of malicious scripts in users' browsers, potentially compromising user sessions or stealing sensitive information (NVD).

Users of the Notices WordPress plugin should upgrade to a version newer than 6.1 to address this vulnerability (Wordfence Advisory).