All In One WP Security < 5.2.7 – Cross-Site Request Forgery to IP Blocking | CVE 2024-30468 | Plugin Vulnerabilities

Description

The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.6. This is due to missing or incorrect nonce validation on the render_404_detection() function. This makes it possible for unauthenticated attackers to block IP addresses that triggered a 404 via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

all-in-one-wp-security-and-firewall

Fixed in 5.2.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/05991bf2-ee61-4bf7-89df-c2f66db7caec

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Ananda Dhakal

Verified

No

WPVDB ID

2b5cc316-86b5-43ef-b852-31b6f3a9e132

Timeline

Publicly Published

2024-02-08 (about 2 years ago)

Added

2024-04-04 (about 1 year ago)

Last Updated

2024-04-04 (about 1 year ago)

Other

Published

Title

Published

2025-08-19

Title

Easy Digital Downloads < 3.5.1 - Cross-Site Request Forgery to Plugin Deactivation via edd_sendwp_disconnect and edd_sendwp_remote_install Functions

Published

2025-03-27

Title

SimplyRETS Real Estate IDX < 3.1.0 - Cross-Site Request Forgery

Published

2022-08-25

Title

Better Font Awesome < 2.0.2 - Settings Update via CSRF

Published

2025-01-03

Title

wpSOL <= 1.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2024-02-26

Title

Categorify < 1.0.7.5 - Cross-Site Request Forgery via categorifyAjaxRenameCategory