CVE-2021-24466: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2021-24466) affects the WordPress plugin Verse-O-Matic versions 4.1.1 and below. It was discovered and reported by Ajay Sandipan Thorbole, and publicly disclosed on July 19, 2021. The vulnerability combines Cross-Site Request Forgery (CSRF) with Stored Cross-Site Scripting (XSS) issues in the plugin (WPScan).

The vulnerability stems from the absence of CSRF protection mechanisms in the plugin, coupled with inadequate sanitization in both settings and verses sections. The CVSS score is rated as 7.1 (High), and it is classified under CWE-352 (Cross-Site Request Forgery). The vulnerability allows attackers to perform unauthorized actions through CSRF attacks, which can lead to stored XSS issues (WPScan).

The vulnerability enables attackers to manipulate logged-in administrators into performing unwanted actions, including adding, editing, or deleting arbitrary verses and modifying plugin settings. Due to the lack of proper sanitization, these actions can result in stored Cross-Site Scripting attacks (WPScan).

As of the last update on August 10, 2021, there was no known fix available for this vulnerability. Users of the Verse-O-Matic plugin should consider implementing additional security measures or temporarily disabling the plugin until a patch is released (WPScan).