CVE-2021-24452

Name of the Vulnerable Software and Affected Versions W3 Total Cache WordPress plugin versions prior to 2.1.5

Description The issue is a reflected Cross-Site Scripting (XSS) problem within the extension parameter in the Extensions dashboard. This occurs when the 'Anonymously track usage to improve product quality' setting is enabled, and the parameter is output in a JavaScript context without proper escaping. An attacker could exploit this by convincing an authenticated admin to click a link, allowing the attacker to run malicious JavaScript within the user's web browser, potentially leading to full site compromise.

Recommendations For versions prior to 2.1.5, update to version 2.1.5 or later to resolve the issue. As a temporary workaround, consider disabling the 'Anonymously track usage to improve product quality' setting until a patch is applied. Restrict access to the Extensions dashboard to minimize the risk of exploitation. Avoid using the extension parameter in the affected dashboard until the issue is resolved.