CVE-2021-39340: 
WordPress vulnerability analysis and mitigation

The Notification WordPress plugin (version 7.2.4 and earlier) was found to contain a Stored Cross-Site Scripting vulnerability, identified as CVE-2021-39340. The vulnerability was discovered by the Thinkland Security Team and disclosed on October 25, 2021. This security issue affects WordPress installations with the Notification plugin installed (NVD, Wordfence).

The vulnerability has been assigned a CVSS v3.1 score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The security flaw exists in the Settings section of the plugin, specifically in the CARRIERS subsection where the FromName field is vulnerable to XSS payload injection (Wordfence).

When exploited, this vulnerability allows attackers with administrative user access to inject arbitrary web scripts into the affected WordPress installation. The impact is considered moderate as it requires high privileges to exploit and can potentially lead to data exposure and interface manipulation (NVD).

Users are advised to update their Notification WordPress plugin to a version newer than 7.2.4 to address this vulnerability. The issue has been fixed in subsequent releases (NVD).