CVE-2021-41836

Name of the Vulnerable Software and Affected Versions Fathom Analytics WordPress plugin versions up to and including 3.0.4

Description The issue arises from insufficient input validation and escaping via the site id parameter in the ~/fathom-analytics.php file, allowing attackers with administrative user access to inject arbitrary web scripts. This affects multi-site installations where unfiltered html is disabled for administrators, and sites where unfiltered html is disabled.

Recommendations For versions up to and including 3.0.4, update to a version that includes the necessary input validation and escaping fixes to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the ~/fathom-analytics.php file or disabling the site id parameter until a patch is available. Additionally, review and adjust the unfiltered html settings for administrators to minimize the risk of exploitation.