CVE-2021-24388

Name of the Vulnerable Software and Affected Versions VikRentCar Car Rental Management System WordPress plugin versions prior to 1.1.7

Description The issue is related to a stored Cross-Site Scripting problem. It arises because the field name in the custom field option is not properly sanitised or escaped before being output back on the page. Additionally, there is no CSRF check performed before saving the setting, which allows attackers to manipulate a logged-in admin into setting arbitrary Custom Fields, including those with XSS payloads.

Recommendations For versions prior to 1.1.7, update to version 1.1.7 or later to resolve the issue. As a temporary workaround, consider disabling the custom field option until a patch is available. Restrict access to the setting management page to minimize the risk of exploitation.