CVE-2021-24971

Name of the Vulnerable Software and Affected Versions WP Responsive Menu versions prior to 3.1.7.1

Description The issue concerns a lack of capability and CSRF checks in the wpr live update AJAX action, as well as insufficient sanitization and escaping of submitted data. This allows any authenticated user, such as a subscriber, to update the plugin's settings and perform Cross-Site Scripting attacks against all visitors and users on the frontend.

Recommendations For versions prior to 3.1.7.1, update to version 3.1.7.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the wpr live update AJAX action to prevent unauthorized updates to the plugin's settings. Avoid using the vulnerable wpr live update action until the issue is resolved.