CVE-2021-24535

Name of the Vulnerable Software and Affected Versions The Light Messages WordPress plugin version 1.0

Description The issue is related to the lack of a CSRF check when updating settings and the failure to sanitize Message Content, even when unfiltered html is disallowed. This allows an attacker to make a logged-in admin update settings to arbitrary values and set a Cross-Site Scripting payload in the Message Content. The XSS payload can be triggered in the backend only or in both the frontend and backend, depending on the options set.

Recommendations For version 1.0, consider disabling the plugin's settings update functionality until a patch is available to prevent arbitrary updates and Cross-Site Scripting attacks. Restrict access to the plugin's settings to minimize the risk of exploitation. Avoid using the Message Content field in the plugin's settings until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.