CVE-2021-4367: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2021-4367 affects the WordPress plugin Flo Forms versions prior to 1.0.36. This security issue was discovered on March 16, 2021, by security researcher Jerome Bruandet. The vulnerability allows low-privilege users to exploit the flo_import_forms_options AJAX action to inject malicious JavaScript code in the backend (WPScan).

The vulnerability is classified as an Authenticated Options Change to Stored XSS (Cross-Site Scripting) with a critical CVSS score of 9.9. It falls under the OWASP Top 10 category A5: Broken Access Control and is identified with CWE-284. The security flaw specifically involves the plugin's AJAX action 'flo_import_forms_options' which can be exploited to import malicious options (WPScan).

When exploited, this vulnerability allows attackers with low-privilege user access to inject malicious JavaScript code into the backend of WordPress sites running the affected plugin versions. This could potentially lead to unauthorized access and manipulation of the website's backend functionality (WPScan).

The vulnerability was fixed in Flo Forms version 1.0.36. Website administrators running affected versions should immediately update to version 1.0.36 or later to protect against this security threat (WPScan).