CVE-2021-24272: 
WordPress vulnerability analysis and mitigation

The Fitness Calculators WordPress plugin (versions before 1.9.6) contained a security vulnerability identified as CVE-2021-24272. The plugin, which provides calculators for Water intake, BMI, protein Intake, and Body Fat measurements, was discovered to have security issues related to Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS). The vulnerability was publicly disclosed on April 14, 2021, and was subsequently fixed in version 1.9.6 (WPScan).

The vulnerability was classified with a CVSS score of 7.1 (high severity) and was categorized under CWE-352. The security issue stemmed from the lack of CSRF protection checks in the plugin's functionality, particularly in areas where calculator headers could be modified. Additionally, the absence of proper input sanitization contributed to a potential Stored Cross-Site Scripting vulnerability (WPScan).

The vulnerability allowed attackers to manipulate logged-in users into performing unwanted actions, specifically the ability to change calculator headers without their knowledge or consent. The lack of sanitization could lead to stored XSS attacks, potentially compromising the security of the WordPress installation (WPScan).

The vulnerability was patched in version 1.9.6 of the Fitness Calculators plugin. Website administrators running affected versions should upgrade to version 1.9.6 or later to protect against these security issues (WPScan).

The vulnerability was initially discovered and reported by security researcher 0xB9. The issue was verified and documented in the WPScan Vulnerability Database, highlighting the importance of proper security controls in WordPress plugins (WPScan).