CVE-2021-42360: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2021-42360) was discovered in the Starter Templates WordPress plugin when used in conjunction with the Elementor plugin. The issue was identified on October 4, 2021, and affected over 1 million WordPress sites running Starter Templates versions up to 2.7.0. This security flaw allowed users with edit_posts capability (including Contributor-level users) to perform unauthorized actions through the astra-page-elementor-batch-process AJAX functionality (Wordfence Blog).

The vulnerability stems from improper access control and resource injection in the astra-page-elementor-batch-process AJAX action. The CVSS v3.1 base score ranges from 5.4 (MEDIUM) to 7.6 (HIGH), with different assessments from NVD and Wordfence. The vulnerability is classified under multiple CWE categories including CWE-99 (Resource Injection), CWE-79 (Cross-site Scripting), and CWE-284 (Improper Access Control) (NVD Database).

The vulnerability allows attackers to craft and host malicious JavaScript blocks on their controlled servers and overwrite any post or page built with Elementor, including published pages. When visitors access the compromised pages, the malicious JavaScript executes in their browsers, potentially leading to various security implications (Wordfence Blog).

A patch was released in version 2.7.1 of the Starter Templates plugin. Site administrators are strongly advised to update to this version or later to protect against this vulnerability (Wordfence Blog).