CVE-2021-4419: 
WordPress vulnerability analysis and mitigation

The WP-Backgrounds Lite WordPress plugin (versions up to and including 2.3) contains a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2021-4419. The vulnerability was discovered by Jerome Bruandet of NinTechNet and publicly disclosed on August 16, 2021. The issue affects the plugin's data saving functionality through the ino_save_data() function (CVE MITRE).

The vulnerability stems from missing or incorrect nonce validation in the ino_save_data() function. Specifically, the security check in the plugin only verifies the nonce if $_POST['ino_meta_box_nonce'] is set, creating a bypass condition. The vulnerable code is located in inoplugs_background_plugin.php at line 183, where the nonce verification can be circumvented if the nonce parameter is not present in the request (NinTechNet Blog).

When successfully exploited, this vulnerability allows unauthenticated attackers to save metadata through forged requests, provided they can trick a site administrator into performing specific actions such as clicking on a malicious link (CVE MITRE).

The plugin has been closed and is no longer available for download. Users should remove the WP-Backgrounds Lite plugin from their WordPress installations and seek alternative solutions (NinTechNet Blog).