CVE-2021-24365_WordPress_Admin_Columns_XSS漏洞

# CVE-2021-24365 WordPress Admin Columns XSS漏洞
==INFO==
WordPress Admin Columns plugin versions below 5.5.2 Pro and 4.3.2 Pro suffers from a cross site scripting vulnerability.

==XSS==

Proof of Concept (PoC):

1. Create a custom field for WordPress users which allows storing HTML
    control characters. This can be done, e.g., with the "Advanced Custom
    Fields" plug-in [2].

2. Store "" in the custom field for any user.

3. Open the Admin Columns plug-in settings.

4. Choose the "Admin Columns" tab and select "Users" from the drop-down
    menu.

5. Click "Add Column", choose the type "Custom Field" and select the
    previously created custom field.

6. Open the user list in the WordPress back end. The JavaScript code
    will be executed.