CVE-2021-24950

Name of the Vulnerable Software and Affected Versions Insight Core WordPress plugin versions prior to 1.1

Description The issue concerns the lack of authorization and CSRF checks in the insight customizer options import function, which is accessible to any authenticated user. Additionally, it fails to validate user input before passing it to unserialize(), and does not sanitize and escape the input before outputting it in the response. This could allow users with a role as low as Subscriber to perform PHP Object Injection, as well as Stored Cross-Site Scripting attacks.

Recommendations For Insight Core WordPress plugin versions prior to 1.1, update to version 1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the insight customizer options import function to minimize the risk of exploitation.