CVE-2021-24714

Name of the Vulnerable Software and Affected Versions Import any XML or CSV File to WordPress plugin versions prior to 3.6.3

Description The issue allows high privilege users to perform Cross-Site attacks even when the unfiltered html capability is disallowed, due to the plugin not escaping the Import's Title and Unique Identifier fields before outputting them in admin pages.

Recommendations For versions prior to 3.6.3, update to version 3.6.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin pages where the Import's Title and Unique Identifier fields are outputted, to minimize the risk of exploitation.