Frontpage Manager <= 1.3 – Cross-Site Request Forgery via admin_page | CVE 2024-22285 | Plugin Vulnerabilities

Description

The Frontpage Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the 'admin_page' function. This makes it possible for unauthenticated attackers to change the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

frontpage-manager

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/953f4838-d0d5-4546-ac97-c1b442236c5d

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Dimas Maulana

Verified

No

WPVDB ID

5bc7f289-f56b-4939-8aff-abcc7fdab103

Timeline

Publicly Published

2024-01-16 (about 2 years ago)

Added

2024-01-19 (about 2 years ago)

Last Updated

2024-01-19 (about 2 years ago)

Other

Published

Title

Published

2022-09-23

Title

3dady Real Time Web Stats <= 1.0 - Stored Cross-Site Scripting via CSRF

Published

2023-11-15

Title

Disable User Login < 1.3.9 - User Login Toggle via CSRF

Published

2024-04-11

Title

WP Compress – Image Optimizer [All-In-One] < 6.11.01 - Cross-Site Request Forgery

Published

2022-07-04

Title

Name Directory < 1.25.4 - Arbitrary Directory/Name Deletion via CSRF

Published

2023-04-19

Title

Liquid Speech Balloon < 1.2 - Settings Update via CSRF