CVE-2021-24494

Name of the Vulnerable Software and Affected Versions WP Offload SES Lite WordPress plugin versions prior to 1.4.5

Description The issue arises from the failure to escape certain fields in the Activity page of the admin dashboard, such as the email's id, subject, and recipient. This oversight could lead to Stored Cross-Site Scripting issues when an attacker gains control over any of these fields, for example, by manipulating the subject field when filling out a contact form. The XSS will be executed in the context of a logged-in admin viewing the Activity tab of the plugin.

Recommendations For versions prior to 1.4.5, update to version 1.4.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the Activity tab of the plugin to minimize the risk of exploitation. Avoid using the vulnerable fields, such as subject and recipient, in the Activity page until the issue is resolved.