WordPress Plugin Vulnerabilities

Comments Extra Fields For Post,Pages and CPT < 5.1 - Cross-Site Request Forgery

Description

The Comments Extra Fields For Post,Pages and CPT plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.0. This is due to missing or incorrect nonce validation on several ajax actions. This makes it possible for unauthenticated attackers to invoke those actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. As a result, they may modify comment form fields and update plugin settings.

Affects Plugins

Plugin icon
wp-comment-fields
Fixed in 5.1

References

CVE
CVE-2024-0830
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8ea53b11-37fa-4c45-a158-5a7709b842fc

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
10e31dd8-3224-491a-b1f4-afdfc154888a

Timeline

Publicly Published
2024-02-26 (about 2 years ago)
Added
2024-02-26 (about 2 years ago)
Last Updated
2024-02-26 (about 2 years ago)

Other

Published
Title
Published
2023-10-16
Title
Eupago Gateway For Woocommerce < 3.1.10 - CSRF
Published
2024-12-12
Title
Aphorismus <= 1.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-09-22
Title
Show Pages List <= 1.2.0 - Cross-Site Request Forgery
Published
2024-05-29
Title
Comparison Slider <= 1.0.5 - Cross-Site Request Forgery
Published
2025-01-16
Title
Call me Now <= 1.0.5 - Cross-Site Request Forgery