WordPress Plugin Vulnerabilities

Digits < 8.4.2 - Cross-Site Request Forgery to Privilege Escalation

Description

The Digits plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.4.1. This is due to missing nonce validation in the 'digits_save_settings' function. This makes it possible for unauthenticated attackers to modify the default role of registered users to elevate user privileges via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
digits
Fixed in 8.4.2

References

CVE
CVE-2024-0203
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/84f2afb4-f1c6-4313-8958-38f1b5140a67

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.8 (high)

Miscellaneous

Original Researcher
István Márton
Verified
No
WPVDB ID
39007092-9b2e-48e3-b6da-7ce2aac91ae7

Timeline

Publicly Published
2024-02-22 (about 2 years ago)
Added
2024-03-07 (about 2 years ago)
Last Updated
2024-03-07 (about 2 years ago)

Other

Published
Title
Published
2025-06-27
Title
HidePost <= 2.3.8 - Cross-Site Request Forgery
Published
2025-11-27
Title
Nextend Social Login and Register < 3.1.22 - Cross-Site Request Forgery to Unlink User Social Login
Published
2024-10-14
Title
cSlider <= 2.4.2 - Cross-Site Request Forgery
Published
2025-02-03
Title
Smart DoFollow <= 1.0.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-11-03
Title
Posts Navigation Links for Sections and Headings - Free by WP Masters <= 1.0.1 - Cross-Site Request Forgery to Settings Update