CVE-2021-24950: 
WordPress vulnerability analysis and mitigation

CVE-2021-24950 affects the Insight Core WordPress plugin version 1.0 and below. The vulnerability was discovered by Krzysztof Zając and publicly disclosed on December 28, 2021. This security issue exists in the plugin's customizer options import functionality, which lacks proper authorization controls and input validation (WPScan).

The vulnerability stems from multiple security issues in the insightcustomizeroptions_import function. The plugin lacks proper authorization and CSRF checks for authenticated users, fails to validate user input before passing it to the unserialize() function, and doesn't properly sanitize and escape output in the response. The vulnerability has been assigned a CVSS score of 6.4 (medium) and is classified under CWE-862 and OWASP Top 10 A5: Broken Access Control (WPScan).

The vulnerability allows users with privileges as low as Subscriber to perform PHP Object Injection and execute Stored Cross-Site Scripting (XSS) attacks. The XSS payload can be triggered on all frontend pages of the affected WordPress installation (WPScan).

As of the last update, there is no known fix available for this vulnerability. Users of the Insight Core plugin should consider implementing additional security measures or removing the plugin until a patch is released (WPScan).