CVE-2021-24408

Name of the Vulnerable Software and Affected Versions Prismatic WordPress plugin versions prior to 2.8

Description The issue allows users with a role as low as Contributor to set Cross-Site payload in some shortcode parameters due to a lack of sanitization or validation. A post made by a contributor would still require admin approval to trigger the XSS in the frontend. However, higher privilege users, such as editors, could exploit this without needing approval, even when the blog disallows the unfiltered html capability.

Recommendations For Prismatic WordPress plugin versions prior to 2.8, update to version 2.8 or later to resolve the issue. As a temporary workaround, consider restricting the use of the vulnerable shortcode parameters until a patch is available. Additionally, restrict access to higher privilege roles, such as editors, to minimize the risk of exploitation.