CVE-2021-24503

Name of the Vulnerable Software and Affected Versions The Popular Brand Icons – Simple Icons WordPress plugin versions prior to 2.7.8

Description The issue allows users with a role as low as Contributor to set Cross-Site payload in some shortcode parameters, such as color, size, or class, due to a lack of sanitization or validation. A post made by a contributor would still require admin approval to trigger the XSS in the frontend. However, higher privilege users, such as editors, could exploit this without needing approval, even when the blog disallows the unfiltered html capability.

Recommendations For versions prior to 2.7.8, update to version 2.7.8 or later to resolve the issue. As a temporary workaround, consider restricting the use of the vulnerable shortcode parameters, such as color, size, or class, until a patch is available. Additionally, restrict access to the plugin's functionality for lower privilege users, such as contributors, to minimize the risk of exploitation.