CVE-2021-25060

Name of the Vulnerable Software and Affected Versions Five Star Business Profile and Schema WordPress plugin versions prior to 2.1.7

Description The issue concerns the lack of authorization and CSRF protection in certain AJAX actions, specifically bpfwp welcome add contact page and bpfwp welcome set contact information, allowing any authenticated users to call them. Additionally, the lack of sanitization leads to Stored Cross-Site Scripting issues.

Recommendations For versions prior to 2.1.7, update to version 2.1.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the bpfwp welcome add contact page and bpfwp welcome set contact information AJAX actions to prevent exploitation.