CVE-2021-24586

Published: Sep 13, 2021Modified: Jun 17, 2026

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

The Per page add to head WordPress plugin before 1.4.4 is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the setting (feature mentioned by the plugin), this could lead to Stored XSS issue which will be triggered either in the backend, frontend or both depending on the payload used.

Affected (1)

Products: Evona: Per Page Add To Head

1 product

Per Page Add To Head

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Evona Per Page Add To Head	Before 1.4.4

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://wpscan.com/vulnerability/e9885fba-0e73-41a0-9e1d-47badc09be85

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/e9885fba-0e73-41a0-9e1d-47badc09be85

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.