CVE-2024-13621: 
WordPress vulnerability analysis and mitigation

The GDPR Framework By Data443 WordPress plugin before version 2.2.0 contains a stored Cross-Site Scripting (XSS) vulnerability. The plugin fails to properly sanitize and escape certain settings, which affects high-privilege users such as administrators, particularly in multisite setups where the unfiltered_html capability is disallowed (WPScan, NVD).

The vulnerability exists in the plugin's settings handling mechanism, specifically in the cookie popup configuration section. The affected settings include the 'Cookie Acceptance Popup header' and 'Cookie Acceptance Popup Content' fields, which do not properly sanitize or escape user input. This allows for the injection of malicious scripts that are stored in the database and executed when users view the affected pages. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (WPScan).

The vulnerability allows high-privilege users to store and execute arbitrary JavaScript code on the website, even in environments where such capabilities should be restricted. This could potentially lead to client-side attacks against site visitors and administrators (WPScan).

The vulnerability has been patched in version 2.2.0 of the GDPR Framework By Data443 plugin. Site administrators are advised to update to this version or later to protect against this security issue (WPScan).