CVE-2021-38361: 
WordPress vulnerability analysis and mitigation

The .htaccess Redirect WordPress plugin (versions up to and including 0.3.1) was identified with a Reflected Cross-Site Scripting vulnerability, tracked as CVE-2021-38361. The vulnerability was discovered and reported by Wordfence security researchers, with the initial CVE record being created on August 9, 2021, and publicly disclosed on December 14, 2021 (NVD, CVE Mitre).

The vulnerability exists in the link parameter within the ~/htaccess-redirect.php file, which allows attackers to inject arbitrary web scripts. The severity of this vulnerability has been assessed with a CVSS v3.1 Base Score of 6.1 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. Under CVSS v2.0, it received a Base Score of 4.3 (Medium) with the vector (AV:N/AC:M/Au:N/C:N/I:P/A:N). The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

When exploited, this vulnerability allows attackers to inject and execute arbitrary web scripts in the context of the victim's browser session. This could potentially lead to theft of sensitive information, session hijacking, or other malicious actions typically associated with XSS attacks (NVD).

Users of the .htaccess Redirect WordPress plugin should upgrade to a version newer than 0.3.1 to address this vulnerability. If immediate upgrading is not possible, it is recommended to remove or disable the plugin until it can be updated (NVD).