CVE-2021-24433

Name of the Vulnerable Software and Affected Versions simple sort&search WordPress plugin versions 0.0.3 and earlier

Description The issue arises from the simple sort&search WordPress plugin not validating the indexurl parameter of certain shortcodes, including category sims, order sims, orderby sims, period sims, and tag sims, to ensure they use allowed URL protocols. This oversight can lead to stored cross-site scripting, potentially exploitable by users with a role as low as Contributor.

Recommendations For versions 0.0.3 and earlier, as a temporary workaround, consider disabling the shortcodes category sims, order sims, orderby sims, period sims, and tag sims until a patch is available. Restrict access to these shortcodes to minimize the risk of exploitation. Avoid using the indexurl parameter in the affected shortcodes until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.