CVE-2021-24973

Name of the Vulnerable Software and Affected Versions Site Reviews WordPress plugin versions prior to 5.17.3

Description The issue allows unauthenticated and any authenticated users to perform Cross-Site Scripting attacks against logged in admins viewing the Tool dashboard of the plugin. This is due to the plugin not sanitising and escaping the site-reviews parameter of the glsr action AJAX action.

Recommendations For versions prior to 5.17.3, update to version 5.17.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the glsr action AJAX action to minimize the risk of exploitation. Avoid using the site-reviews parameter in the affected AJAX endpoint until the issue is resolved.