CVE-2021-38359: 
WordPress vulnerability analysis and mitigation

The WordPress InviteBox Plugin for viral Refer-a-Friend Promotions WordPress plugin (versions up to and including 1.4.1) was identified with a Reflected Cross-Site Scripting vulnerability, tracked as CVE-2021-38359. The vulnerability was discovered and reported by researcher p7e4, with the CVE being created on August 9, 2021 (CVE MITRE).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and exists in the message parameter within the ~/admin/admin.php file. The CVSS v3.1 score is 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, no privileges required, and user interaction required (Wordfence Advisory).

The vulnerability allows attackers to inject arbitrary web scripts through the message parameter, potentially leading to the compromise of user data and browser sessions. The CVSS scoring indicates low impacts on both confidentiality and integrity, with no impact on availability (NVD).

No official patch has been released for this vulnerability as indicated in the available sources (Wordfence Advisory). Users are advised to consider removing or disabling the plugin until a security update becomes available.