Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation < 2.16.0 – Cross-Site Request Forgery to Notice Dismissal | CVE 2024-33691 | Plugin Vulnerabilities

Description

The OptinMonster plugin is vulnerable to Cross-Site Request Forgery. This is due to missing or incorrect nonce validation on the validate_please_connect_notice_dismiss() function. This makes it possible for unauthenticated attackers to dismiss notices via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Fixed in 2.16.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/f7ed53bd-08de-4ec9-a8dd-eef72b788359

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Dhabaleshwar Das

Verified

No

WPVDB ID

519118f2-a8d1-45d1-a130-c3c710598a7f

Timeline

Publicly Published

2024-04-26 (about 2 years ago)

Added

2024-05-03 (about 2 years ago)

Last Updated

2024-05-03 (about 2 years ago)

Other

Published

Title

Published

2022-12-02

Title

Bulk Delete Users by Email < 2.0.0 - User Deletion via CSRF

Published

2025-04-24

Title

Loan Calculator <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-03-13

Title

LoginPress < 4.0.0 - Arbitrary Options Update via CSRF

Published

2025-04-01

Title

Cache control by Cacholong <= 5.4.1 - Cross-Site Request Forgery

Published

2023-11-07

Title

WP Links Page < 4.9.5 - Cross-Site Request Forgery via wplf_ajax_update_screenshots