CVE-2021-24467
MEDIUMLeaflet Map < 3.0.0 - Cross-Site Request Forgery via Settings Update
Title source: llmDescription
The Leaflet Map WordPress plugin before 3.0.0 does not verify the CSRF nonce when saving its settings, which allows attackers to make a logged in admin update the settings via a Cross-Site Request Forgery attack. This could lead to Cross-Site Scripting issues by either changing the URL of the JavaScript library being used, or using malicious attributions which will be executed in all page with an embed map from the plugin
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/ac32d265-066e-49ec-9042-3145cd99e2e8
Scores
CVSS v3
6.5
EPSS
0.0056
EPSS Percentile
42.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Details
CWE
CWE-352
CWE-79
Status
published
Products (1)
leaflet_map_project/leaflet_map
< 3.0.0
Published
Aug 09, 2021
Tracked Since
Feb 18, 2026