CVE-2021-24467

Name of the Vulnerable Software and Affected Versions Leaflet Map WordPress plugin versions prior to 3.0.0

Description The issue allows attackers to make a logged-in admin update the plugin's settings via a Cross-Site Request Forgery attack because it does not verify the CSRF nonce when saving its settings. This could lead to Cross-Site Scripting issues by either changing the URL of the JavaScript library being used or using malicious attributions that will be executed in all pages with an embedded map from the plugin.

Recommendations For versions prior to 3.0.0, update to version 3.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings page to minimize the risk of exploitation. Avoid using malicious attributions in the plugin's settings until the issue is resolved.