CVE-2021-38356: 
WordPress vulnerability analysis and mitigation

The NextScripts: Social Networks Auto-Poster WordPress plugin version 4.3.20 and earlier was identified with a Reflected Cross-Site Scripting vulnerability, tracked as CVE-2021-38356. The vulnerability was discovered and disclosed in October 2021, affecting approximately 100,000 WordPress sites using this plugin (Wordfence Advisory).

The vulnerability exists in the inc/nxsclasssnap.php file where the $REQUEST['page'] parameter is not properly sanitized before being echoed back to the user. The exploitation requires supplying the value 'nxssnap-post' to $GET['page'] parameter along with malicious JavaScript code in $_POST['page']. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, and a CVSS v2.0 Base Score of 4.3 (NVD).

The vulnerability allows attackers to execute arbitrary JavaScript code in the context of other users' browsers who access the affected pages. This could lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected user's session (NVD).

Users are advised to update their NextScripts: Social Networks Auto-Poster plugin to a version newer than 4.3.20 to address this vulnerability. The fix includes proper input sanitization and output escaping of the affected parameter (Wordfence Advisory).