WP-Eggdrop <= 0.1 – Cross-Site Request Forgery to Settings Update | CVE 2024-2969 | Plugin Vulnerabilities

Description

The WP-Eggdrop plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1. This is due to missing or incorrect nonce validation on the wpegg_updateOptions() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/2cd509f7-100a-4f28-8d5a-b6b906456c52

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Benedictus Jovan

Verified

No

WPVDB ID

3fa4ca9b-4ce3-4b48-a913-ad45948b7354

Timeline

Publicly Published

2024-03-28 (about 2 years ago)

Added

2024-03-28 (about 2 years ago)

Last Updated

2024-03-28 (about 2 years ago)

Other

Published

Title

Published

2023-10-19

Title

Duplicate <= 0.1.6 - CSRF

Published

2023-05-24

Title

Kopa Framework <= 1.3.5 - Cross-Site Request Forgery

Published

2021-07-06

Title

WP HTML Mail < 3.0.8 - CSRF to XSS

Published

2024-05-06

Title

Business Card <= 1.0.0 - Category Edit via CSRF

Published

2024-11-15

Title

EleForms – All In One Form Integration including DB for Elementor <= 2.9.9.9 - Cross-Site Request Forgery