CVE-2021-4074: 
WordPress vulnerability analysis and mitigation

The WHMCS Bridge WordPress plugin was found to contain a Stored Cross-Site Scripting vulnerability (CVE-2021-4074) in versions up to and including 6.1. The vulnerability exists in the cc_whmcs_bridge_url parameter located in the ~/whmcs-bridge/bridge_cp.php file. Due to missing authorization checks in the cc_whmcs_bridge_add_admin function, low-privileged users such as subscribers could exploit this vulnerability (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N by NIST, while Wordfence assigned it a score of 6.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified under CWE-79 (Cross-site Scripting) and CWE-862 (Missing Authorization) (NVD).

The vulnerability allows attackers to inject arbitrary web scripts into the application. When successfully exploited, this could lead to unauthorized access and potential manipulation of user data through cross-site scripting attacks (NVD).

The vulnerability was addressed in version 6.3 of the WHMCS Bridge WordPress plugin. Users are advised to update to this version or later to mitigate the security risk. The update includes security upgrades for the admin panel and fixes for various issues (WordPress Plugin).