CVE-2021-24129

Name of the Vulnerable Software and Affected Versions: Themify Portfolio Post WordPress plugin versions prior to 1.1.6

Description: The issue arises from unvalidated input and a lack of output encoding in the Themify Portfolio Post WordPress plugin, leading to Stored Cross-Site Scripting (XSS) vulnerabilities. This allows low-privileged users, such as those with Contributor+ permissions, to inject arbitrary JavaScript code or HTML into posts where the Themify Custom Panel is embedded. This could potentially lead to privilege escalation.

Recommendations: For versions prior to 1.1.6, update to version 1.1.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the Themify Custom Panel for low-privileged users until the update can be applied.