CVE-2021-24509

Name of the Vulnerable Software and Affected Versions Page View Count WordPress plugin versions prior to 2.4.9

Description The issue allows users with a role as low as Contributor to perform Stored XSS attacks due to the lack of escaping of the postid parameter in the pvc stats shortcode. For contributors, a post would need to be approved by an admin to trigger the XSS in the frontend. However, higher privilege users, such as editors, could exploit this without needing approval, even when the blog disallows the unfiltered html capability.

Recommendations For versions prior to 2.4.9, update to version 2.4.9 or later to resolve the issue. As a temporary workaround, consider restricting the use of the pvc stats shortcode to minimize the risk of exploitation. Avoid using the postid parameter in the affected shortcode until the issue is resolved.