CVE-2021-24467

MEDIUM

Leaflet Map < 3.0.0 - Cross-Site Request Forgery via Settings Update

Title source: llm
STIX 2.1

Description

The Leaflet Map WordPress plugin before 3.0.0 does not verify the CSRF nonce when saving its settings, which allows attackers to make a logged in admin update the settings via a Cross-Site Request Forgery attack. This could lead to Cross-Site Scripting issues by either changing the URL of the JavaScript library being used, or using malicious attributions which will be executed in all page with an embed map from the plugin

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/ac32d265-066e-49ec-9042-3145cd99e2e8

Scores

CVSS v3 6.5
EPSS 0.0056
EPSS Percentile 42.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Details

CWE
CWE-352 CWE-79
Status published
Products (1)
leaflet_map_project/leaflet_map < 3.0.0
Published Aug 09, 2021
Tracked Since Feb 18, 2026