Index Now < 2.6.4 – Cross-Site Request Forgery via reset_form | CVE 2024-0428 | Plugin Vulnerabilities

Description

The Index Now plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.3. This is due to missing or incorrect nonce validation on the 'reset_form' function. This makes it possible for unauthenticated attackers to delete arbitrary site options via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

mihdan-index-now

Fixed in 2.6.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c7641d52-e930-4143-9180-2903d018da91

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Verified

No

WPVDB ID

54d20241-0ed9-49bd-9857-014ac39e6608

Timeline

Publicly Published

2024-01-12 (about 2 years ago)

Added

2024-01-13 (about 2 years ago)

Last Updated

2024-01-13 (about 2 years ago)

Other

Published

Title

Published

2023-10-16

Title

Who Hit The Page – Hit Counter <= 1.4.14.3 - CSRF

Published

2025-01-06

Title

ViewMedica Embed < 1.4.18 - Cross-Site Request Forgery to SQL Injection

Published

2016-04-12

Title

WordPress <= 4.4.2 - Script Compression Option CSRF

Published

2014-12-18

Title

Gslideshow <= 0.1 - Multiple CSRF

Published

2021-07-06

Title

WP HTML Mail < 3.0.8 - CSRF to XSS