WordPress Plugin Vulnerabilities

Schema App Structured Data < 2.2.1 - Cross-Site Request Forgery

Description

The Schema App Structured Data plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing or incorrect nonce validation on the MarkUpdate function. This makes it possible for unauthenticated attackers to update and delete post metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
schema-app-structured-data-for-schemaorg
Fixed in 2.2.1

References

CVE
CVE-2024-0892
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/254291b3-a30d-44ff-9df4-6ba700a9efc9

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
02a640ba-0f5d-4b2c-a99d-dc96006e14ed

Timeline

Publicly Published
2024-06-13 (about 2 years ago)
Added
2024-06-13 (about 2 years ago)
Last Updated
2024-07-03 (about 1 year ago)

Other

Published
Title
Published
2023-09-11
Title
Checkout Field Editor < 1.7.5 - Checkout Fields Update via CSRF
Published
2025-02-28
Title
Simple:Press < 6.10.13 - Cross-Site Request Forgery to Unauthorized Post Editing
Published
2026-05-26
Title
Genzel breadcrumbs <= 1.2 - Cross-Site Request Forgery to Settings Update via Plugin Settings Page
Published
2025-08-14
Title
flexo-social-gallery <= 1.0006 - Cross-Site Request Forgery
Published
2024-08-22
Title
Blog Introduction <= 0.3.0 - Settings Update via CSRF