WordPress Plugin Vulnerabilities

Custom Dashboard Widgets <= 1.3.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via cdw_DashboardWidgets

Description

The Custom Dashboard Widgets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the 'cdw_DashboardWidgets' function. This makes it possible for unauthenticated attackers to modify the plugin's settings, including adding a Cross-Site Scripting payload, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
custom-dashboard-widgets
No known fix

References

CVE
CVE-2024-22290
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/3208426a-379d-46b9-a9e7-654604169929

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.2 (high)

Miscellaneous

Original Researcher
Dimas Maulana
Verified
No
WPVDB ID
2b85d66a-91d2-4ebf-bd3b-0d9c4388d29f

Timeline

Publicly Published
2024-01-16 (about 2 years ago)
Added
2024-01-19 (about 2 years ago)
Last Updated
2024-01-19 (about 2 years ago)

Other

Published
Title
Published
2025-12-30
Title
PawFriends - Pet Shop and Veterinary WordPress <= 1.3 - Cross-Site Request Forgery
Published
2014-08-01
Title
Specialist by Templatic - CSRF File Upload
Published
2025-01-16
Title
Twitter Shortcode <= 0.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-05-07
Title
DS Site Message < 1.14.5 - Stored XSS via CSRF
Published
2025-04-04
Title
Sidebar Manager Light <= 1.1.8 - Cross-Site Request Forgery