Microsoft Clarity < 0.9.4 – Cross-Site Request Forgery to Stored Cross-Site Scripting | CVE 2024-0590 | Plugin Vulnerabilities

Description

The Microsoft Clarity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the edit_clarity_project_id() function. This makes it possible for unauthenticated attackers to change the project id and add malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

microsoft-clarity

Fixed in 0.9.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c2f4461b-1373-4d09-8430-14d1961e1644

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

kodaichodai

Verified

No

WPVDB ID

0cf85367-3197-4f6e-a8a7-1a46e09c6e00

Timeline

Publicly Published

2024-02-16 (about 2 years ago)

Added

2024-02-16 (about 2 years ago)

Last Updated

2024-02-16 (about 2 years ago)

Other

Published

Title

Published

2024-06-03

Title

WP-Recall < 16.26.7 - Cross-Site Request Forgery

Published

2025-04-09

Title

WPSolr < 24.0.1 - Privilege Escalation via CSRF

Published

2023-12-27

Title

EnvíaloSimple < 2.3 - API Key Update via CSRF

Published

2022-10-19

Title

reSmush.it Image Optimizer < 0.4.7 - Multiple CSRF

Published

2025-01-16

Title

Mass Custom Fields Manager <= 1.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting