CVE-2021-24586

Name of the Vulnerable Software and Affected Versions Per page add to head WordPress plugin versions prior to 1.4.4

Description The issue is related to the lack of CSRF checks when saving settings, which could allow attackers to make changes to the settings of a logged-in admin. Additionally, the plugin allows arbitrary HTML to be inserted in one of its settings, leading to a potential Stored XSS issue. This could be triggered in the backend, frontend, or both, depending on the payload used.

Recommendations For versions prior to 1.4.4, update to version 1.4.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings page to minimize the risk of exploitation. Avoid using the plugin's feature that allows arbitrary HTML insertion until the issue is resolved.