CVE-2021-24366 is a medium-severity stored Cross-Site Scripting (XSS) vulnerability affecting the Admin Columns WordPress plugin versions prior to 4.3 and Admin Columns Pro versions prior to 5.5.1. The vulnerability arises because the plugin does not properly sanitize and escape the Label settings in its admin columns feature. This flaw allows users with high privileges, such as administrators, to inject malicious scripts into the Label fields. These scripts are then stored and rendered in the WordPress admin interface, leading to persistent XSS attacks. Notably, this vulnerability can be exploited even when the unfiltered_html capability is disabled, such as in multisite WordPress setups, which normally restricts the ability to post unfiltered HTML. The CVSS v3.1 base score is 5.4, reflecting a medium impact with network attack vector, low attack complexity, requiring privileges and user interaction, and affecting confidentiality and integrity with no impact on availability. The vulnerability’s scope is changed (S:C), meaning the attack can affect resources beyond the initially compromised component. Although no known exploits have been reported in the wild, the vulnerability poses a risk because stored XSS can lead to session hijacking, privilege escalation, or further compromise of the WordPress environment. The lack of proper input validation and output encoding in the plugin’s label settings is the root cause. The vulnerability was publicly disclosed in June 2021, and users are advised to upgrade to patched versions to remediate the issue.

For European organizations using WordPress sites with the Admin Columns plugin, this vulnerability could lead to unauthorized script execution within the administrative interface. This can result in theft of administrator session cookies, enabling attackers to impersonate admins and potentially gain full control over the website. The integrity of the website content and administrative data could be compromised, leading to defacement, data manipulation, or insertion of malicious content. Confidential information accessible via the admin panel could be exposed. Although availability is not directly impacted, the downstream effects of a successful attack could disrupt business operations, damage reputation, and lead to regulatory compliance issues under GDPR if personal data is involved. Organizations running multisite WordPress installations are particularly at risk since the vulnerability bypasses the unfiltered_html capability restrictions. Given the widespread use of WordPress in Europe for corporate, governmental, and e-commerce websites, exploitation could have significant operational and reputational consequences.

European organizations should immediately verify if their WordPress installations use the Admin Columns or Admin Columns Pro plugins and check the plugin versions. Upgrading to Admin Columns 4.3 or later, or Admin Columns Pro 5.5.1 or later, is the primary mitigation step. If immediate upgrade is not feasible, administrators should restrict plugin access to only the most trusted users and monitor for suspicious activity in the admin interface. Implementing Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting admin pages can provide temporary protection. Additionally, organizations should enforce strict Content Security Policies (CSP) to limit script execution sources, reducing the impact of injected scripts. Regular security audits and scanning for stored XSS payloads in admin columns can help detect exploitation attempts. Finally, educating administrators about the risks of stored XSS and ensuring strong authentication mechanisms (e.g., MFA) can mitigate the impact of compromised admin sessions.