CVE-2021-24586

The Per page add to head WordPress plugin before 1.4.4 is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the setting (feature mentioned by the plugin), this could lead to Stored XSS issue which will be triggered either in the backend, frontend or both depending on the payload used.
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:evona:per_page_add_to_head:*:*:*:*:*:wordpress:*:*

History

No history.

Information

Published : 2021-09-13 18:15

Updated : 2024-02-28 18:48


NVD link : CVE-2021-24586

Mitre link : CVE-2021-24586

CVE.ORG link : CVE-2021-24586


JSON object : View

Products Affected

evona

  • per_page_add_to_head
CWE
CWE-352

Cross-Site Request Forgery (CSRF)

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')