Depicter < 3.1.0 – Authenticated (Contributor+) Arbitrary Nonce Generation | CVE 2024-4390 | Plugin Vulnerabilities

Description

The Slider and Carousel slider by Depicter plugin for WordPress is vulnerable to Arbitrary Nonce Generation in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers with contributor access and above, to generate a valid nonce for any WordPress action/function. This could be used to invoke functionality that is protected only by nonce checks.

Affects Plugins

Fixed in 3.1.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/dd7c3a5d-b8aa-45cb-983c-55ba7e3d72f3

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Arkadiusz Hydzik

Verified

No

WPVDB ID

2ab59128-7d17-4b6b-9f2a-8c77ce4604f4

Timeline

Publicly Published

2024-06-19 (about 1 year ago)

Added

2024-06-19 (about 1 year ago)

Last Updated

2024-06-20 (about 1 year ago)

Other

Published

Title

Published

2022-02-17

Title

UpdraftPlus Free < 1.22.3 & Premium < 2.22.3 - Subscriber+ Backup Download

Published

2025-03-19

Title

File Away <= 3.9.9.0.1 - Missing Authorization to Unauthenticated Arbitrary File Read

Published

2025-08-27

Title

Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection < 11.59 - Insufficient Authorization to Unauthenticated Blocklist Bypass

Published

2024-03-05

Title

Testimonial Slider < 2.3.7 - Author+ Settings Update

Published

2023-05-12

Title

WPCS – WordPress Currency Switcher Professional < 1.2.0 - Subscriber+ Missing Authorization Checks