WordPress Plugin Vulnerabilities

Link Library < 7.6 - Cross-Site Request Forgery via action_admin_init

Description

The Link Library plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 7.5.13. This is due to missing or incorrect nonce validation on the action_admin_init() function. This makes it possible for unauthenticated attackers to dismissing a notice via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
link-library
Fixed in 7.6

References

CVE
CVE-2024-24875
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/fefe4499-8b03-4c07-b248-ae0ae5153b4f

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Dhabaleshwar Das
Verified
No
WPVDB ID
16ffa1df-c27e-4c0e-b324-3b3f0dc1b465

Timeline

Publicly Published
2024-02-05 (about 2 years ago)
Added
2024-02-08 (about 2 years ago)
Last Updated
2024-02-08 (about 2 years ago)

Other

Published
Title
Published
2025-12-04
Title
Image Optimizer by wps.sk <= 1.2.0 - Cross-Site Request Forgery to Bulk Image Optimization
Published
2025-01-06
Title
ViewMedica Embed < 1.4.18 - Cross-Site Request Forgery to SQL Injection
Published
2024-04-08
Title
ELEX WooCommerce Dynamic Pricing and Discounts < 2.1.3 - Cross-Site Request Forgery
Published
2025-05-07
Title
WP Fundraising Donation and Crowdfunding Platform < 1.7.4 - Cross-Site Request Forgery
Published
2025-04-11
Title
InPost Gallery < 2.1.4.4 - Cross-Site Request Forgery