CVE-2021-24467
Last modified
CVE-2021-24467 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. The Leaflet Map WordPress plugin before 3.0.0 does not verify the CSRF nonce when saving its settings, which allows attackers to make a logged in admin update the settings via a Cross-Site Request Forgery attack. This could lead to Cross-Site Scripting issues by either changing the URL of the JavaScript library being used, or using malicious attributions which will be executed in all page with an embed map from the plugin. EPSS estimates a 0.56% chance of exploitation in the next 30 days.
Description
The Leaflet Map WordPress plugin before 3.0.0 does not verify the CSRF nonce when saving its settings, which allows attackers to make a logged in admin update the settings via a Cross-Site Request Forgery attack. This could lead to Cross-Site Scripting issues by either changing the URL of the JavaScript library being used, or using malicious attributions which will be executed in all page with an embed map from the plugin
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Leaflet Map Project | Leaflet Map | < 3.0.0 |
References
- https://wpscan.com/vulnerability/ac32d265-066e-49ec-9042-3145cd99e2e8Exploit, Third Party Advisory
- https://wpscan.com/vulnerability/ac32d265-066e-49ec-9042-3145cd99e2e8Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-24467?
How severe is CVE-2021-24467?
How do I fix CVE-2021-24467?
Are you affected by CVE-2021-24467?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST