The Per page add to head WordPress plugin before 1.4.4 is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the setting (feature mentioned by the plugin), this could lead to Stored XSS issue which will be triggered either in the backend, frontend or both depending on the payload used.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: WPScan
Published: 2021-09-13T17:56:27
Updated: 2024-08-03T19:35:20.192Z
Reserved: 2021-01-14T00:00:00
Link: CVE-2021-24586
Vulnrichment
No data.
NVD
Status : Analyzed
Published: 2021-09-13T18:15:16.517
Modified: 2022-12-20T22:01:37.097
Link: CVE-2021-24586
Redhat
No data.