CVE-2021-25106

Name of the Vulnerable Software and Affected Versions WPLegalPages WordPress plugin versions prior to 2.7.1

Description The issue arises from the plugin's failure to check for authorization and its flawed CSRF logic when saving settings, allowing any authenticated user to update them. Additionally, the lack of sanitization and escaping can lead to Stored Cross-Site Scripting.

Recommendations For versions prior to 2.7.1, update to version 2.7.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings page to minimize the risk of exploitation.