CVE-2021-24586: 
WordPress vulnerability analysis and mitigation

The Per Page Add to Head WordPress plugin before version 1.4.4 contains a Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS) vulnerability. The plugin lacks CSRF protection when saving settings and allows arbitrary HTML insertion, which could be exploited by attackers to modify settings and execute malicious scripts (WPScan Advisory).

The vulnerability combines two security issues: a CSRF vulnerability due to missing security checks when saving settings, and a Stored XSS vulnerability through arbitrary HTML insertion in plugin settings. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The issues are tracked under CWE-352 (Cross-Site Request Forgery) and CWE-79 (Cross-site Scripting) (NVD Database).

The vulnerability could allow attackers to make a logged-in administrator change plugin settings and execute arbitrary JavaScript code. Depending on the payload used, the XSS attack could be triggered in the backend, frontend, or both, potentially affecting both administrators and site visitors (WPScan Advisory).

The vulnerability was fixed in version 1.4.4 of the Per Page Add to Head plugin. Users are strongly recommended to update to this version or later to protect against these security issues (WPScan Advisory).