Finale Lite < 2.18.1 – Cross-Site Request Forgery | CVE 2024-32107 | Plugin Vulnerabilities

Description

The Finale Lite – Sales Countdown Timer & Discount for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.18.0. This is due to missing or incorrect nonce validation on the xlo_optin_call() function. This makes it possible for unauthenticated attackers to opt into tracking via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

finale-woocommerce-sales-countdown-timer-discount

Fixed in 2.18.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/aa290a4b-06b6-4057-ae56-1c0b74b2ee5a

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Dhabaleshwar Das

Verified

No

WPVDB ID

547827ef-77f0-49b7-992b-74cba887f8fe

Timeline

Publicly Published

2024-04-11 (about 2 years ago)

Added

2024-04-17 (about 2 years ago)

Last Updated

2024-04-17 (about 2 years ago)

Other

Published

Title

Published

2025-10-14

Title

Theme Importer <= 1.0 - Cross-Site Request Forgery

Published

2025-04-04

Title

Rollbar < 3.0.0 - Cross-Site Request Forgery

Published

2022-08-02

Title

MaxButtons < 9.3 - Arbitrary Settings Update via CSRF

Published

2023-05-24

Title

Download < 2.0.5 - Cross-Site Request Forgery (CSRF)

Published

2025-01-15

Title

VikAppointments Services Booking Calendar < 1.2.17 - Cross-Site Request Forgery