CVE-2021-38352: 
WordPress vulnerability analysis and mitigation

The Feedify – Web Push Notifications WordPress plugin (versions up to and including 2.1.8) was identified with a Reflected Cross-Site Scripting vulnerability (CVE-2021-38352). The vulnerability was discovered in September 2021 and was assigned by Wordfence. The security flaw exists in the feedify_msg parameter within the ~/includes/base.php file (NVD, WPScan).

The vulnerability is classified as a Reflected Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 6.1 (Medium). The attack vector is characterized as Network (AV:N) with Low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R). The scope is changed (S:C) with Low confidentiality and integrity impact (C:L, I:L) and No availability impact (A:N) (Wordfence).

The vulnerability allows attackers to inject arbitrary web scripts through the feedify_msg parameter, potentially leading to the execution of malicious JavaScript code in users' browsers. This could result in theft of sensitive information, session hijacking, or other client-side attacks (NVD).

A fix was released in version 2.1.9 of the Feedify Web Push Notifications plugin. Users are advised to update to this version or later to mitigate the vulnerability (WPScan).