CVE-2021-39344: 
WordPress vulnerability analysis and mitigation

The KJM Admin Notices WordPress plugin (versions up to and including 2.0.1) contains a Stored Cross-Site Scripting vulnerability (CVE-2021-39344) that was discovered in October 2021. The vulnerability affects the plugin's admin functionality, specifically in the ~/admin/class-kjm-admin-notices-admin.php file, where insufficient input validation and sanitization allows attackers with administrative access to inject arbitrary web scripts. This vulnerability particularly impacts multi-site installations where unfilteredhtml is disabled for administrators, and sites where unfilteredhtml is disabled (NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 4.8 (Medium) according to NVD, and 5.5 (Medium) according to Wordfence. The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring high privileges (PR:H) and user interaction (UI:R). The scope is changed (S:C) with low impacts on both confidentiality and integrity (C:L/I:L) and no impact on availability (A:N) (NVD).

The vulnerability allows attackers with administrative access to inject arbitrary web scripts into the system. This particularly affects multi-site installations where unfilteredhtml is disabled for administrators and sites where unfilteredhtml is disabled, potentially leading to cross-site scripting attacks (NVD).

The vulnerability was addressed in versions after 2.0.1. Users should upgrade to the latest version of the plugin to mitigate this security risk (NVD).