WP Tweet Walls < 1.0.4 – Cross-Site Request Forgery | CVE 2024-38344 | Plugin Vulnerabilities

Description

The WP Tweet Walls plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on several functions like wptw_ajax_delete_wall, wptw_ajax_update_wall, wptw_ajax_get_wall, and wptw_ajax_is_limit_reached. This makes it possible for unauthenticated attackers to modify wall settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Fixed in 1.0.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/fa22a038-3a7e-4821-952f-c163299ddee0

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Yuya Asato

Verified

No

WPVDB ID

18a8fb88-4ca3-49ee-bf63-ec9bec58d13a

Timeline

Publicly Published

2024-06-26 (about 1 year ago)

Added

2024-08-02 (about 1 year ago)

Last Updated

2024-08-02 (about 1 year ago)

Other

Published

Title

Published

2025-04-11

Title

Webcraftic Clearfy – WordPress optimization plugin < 2.3.3 - Cross-Site Request Forgery to Plugin Settings Update via 'setup-wbcr_clearfy'

Published

2023-11-21

Title

Perfmatters < 2.1.7 - Cross-Site Request Forgery

Published

2024-01-24

Title

Paid Memberships Pro < 2.12.8 - Cross-Site Request Forgery

Published

2023-05-25

Title

Product Gallery Slider for WooCommerce < 2.2.9 - Cross-Site Request Forgery (CSRF)

Published

2025-06-27

Title

Hide Admin Bar From Front End <= 1.0.0 - Cross-Site Request Forgery