PowerPack Pro for Elementor < 2.10.8 – Cross-Site Request Forgery to Plugin Settings Modification and Cross-Site Scripting | CVE 2024-24843 | Plugin Vulnerabilities

Description

The PowerPack Pro for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions prior to 2.10.8. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to modify plugin settings and inject arbitrary web scripts in pages via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

powerpack-elements

Fixed in 2.10.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/e68bbee2-1c1a-4751-988e-dde423f8aab3

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Dave Jong

Verified

No

WPVDB ID

436258ef-5505-45bd-a705-7c435d52af2f

Timeline

Publicly Published

2024-02-02 (about 2 years ago)

Added

2024-02-05 (about 2 years ago)

Last Updated

2024-02-05 (about 2 years ago)

Other

Published

Title

Published

2023-10-18

Title

Google Calendar Events < 3.2.6 - Cross-Site Request Forgery (CSRF)

Published

2023-02-15

Title

Podlove Subscribe button < 1.3.9 - Multiple CSRF

Published

2022-07-04

Title

Name Directory < 1.25.4 - Stored Cross-Site Scripting via CSRF

Published

2024-06-28

Title

NewsMash < 1.0.35 - Cross-Site Request Forgery to Notice Dismissal

Published

2023-12-07

Title

PayTR Taksit Tablosu <= 1.3.4 - CSRF