CVE-2021-4407: 
WordPress vulnerability analysis and mitigation

The Custom Banners plugin for WordPress (versions up to 3.2.2) contains a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2021-4407. The vulnerability stems from missing or incorrect nonce validation in the saveCustomFields() function, which could allow unauthenticated attackers to manipulate custom fields through forged requests (NVD).

The vulnerability exists due to improper implementation of CSRF protection mechanisms in the saveCustomFields() method. The plugin fails to properly validate the CSRF nonce, which allows attackers to bypass the security check. The vulnerability has been assigned a CVSS v3.1 score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (Wordfence).

If exploited, this vulnerability could allow attackers to save custom fields in a post by tricking an administrator into clicking a malicious link. The attack requires user interaction, as the administrator needs to be logged in and perform a specific action for the attack to succeed (WPScan).

The vulnerability has been fixed in version 3.3 of the Custom Banners plugin. Site administrators are strongly advised to update to this version or later. The update includes both the CSRF fix and additional sanitization improvements (WPScan).