CVE-2021-39357: 
WordPress vulnerability analysis and mitigation

The Leaky Paywall WordPress plugin (versions up to and including 4.16.5) was identified with a Stored Cross-Site Scripting vulnerability (CVE-2021-39357). The vulnerability was discovered by the Thinkland Security Team and publicly disclosed on October 18, 2021. This security issue affects WordPress installations where the plugin is active, particularly impacting multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled (WPScan, NVD).

The vulnerability stems from insufficient input validation and sanitization in the ~/class.php file, which allows attackers with administrative user access to inject arbitrary web scripts. The CVSS v3.1 base score is rated at 5.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD, Wordfence).

When exploited, this vulnerability allows attackers with administrative access to inject malicious web scripts into the application. The impact is particularly significant in multi-site installations and environments where unfiltered_html is disabled, potentially leading to the execution of unauthorized scripts in users' browsers (WPScan).

The vulnerability has been patched in version 4.16.7 of the Leaky Paywall plugin. Site administrators are strongly advised to update to this version or later to mitigate the risk (WPScan).