CVE-2021-24467: 
WordPress vulnerability analysis and mitigation

The Leaflet Map WordPress plugin before version 3.0.0 contains a Cross-Site Request Forgery (CSRF) vulnerability that was discovered on July 1, 2021. The vulnerability allows attackers to manipulate plugin settings when a logged-in administrator visits a malicious page. This security flaw was assigned CVE-2021-24467 and affects all versions of the Leaflet Map WordPress plugin prior to version 3.0.0 (WPScan Advisory).

The vulnerability stems from the plugin's failure to implement proper CSRF protection mechanisms when saving settings. Specifically, the plugin does not verify the CSRF nonce during the settings save operation. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. The weakness is classified under both CWE-352 (Cross-Site Request Forgery) and CWE-79 (Cross-site Scripting) (NVD).

The vulnerability can lead to stored Cross-Site Scripting (XSS) attacks through two primary vectors: by modifying the URL of the JavaScript library being used, or by injecting malicious attributions that will be executed on all pages containing an embedded map from the plugin. This creates a significant security risk as the injected malicious code would execute in the context of all users viewing pages with embedded maps (WPScan Advisory).

The vulnerability has been fixed in version 3.0.0 of the Leaflet Map WordPress plugin. Site administrators are strongly advised to update to this version or later to protect against this security risk (WPScan Advisory).