CVE-2021-38349: 
WordPress vulnerability analysis and mitigation

The Integration of Moneybird for WooCommerce WordPress plugin (versions up to and including 2.1.1) was identified with a Reflected Cross-Site Scripting vulnerability, tracked as CVE-2021-38349. The vulnerability was discovered and disclosed on September 9, 2021, by security researcher p7e4 (Wordfence Intel).

The vulnerability exists in the error_description parameter within the ~/templates/wcmb-admin.php file, which allows attackers to inject arbitrary web scripts. The severity of this vulnerability has been assessed with a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

The vulnerability could allow attackers to execute arbitrary web scripts in the context of the affected WordPress site, potentially leading to the compromise of user data and website functionality. The CVSS scoring indicates low impact on both confidentiality and integrity, with no impact on availability (NVD).

At the time of disclosure, no official patch was available for this vulnerability. Users of the Integration of Moneybird for WooCommerce WordPress plugin should consider implementing general XSS protection measures and monitoring for potential updates (Wordfence Intel).