WordPress Plugin Vulnerabilities

404 Error Monitor <= 1.1 - Cross-Site Request Forgery to Plugin Settings Update via updatePluginSettings Function

Description

The 404 Error Monitor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the updatePluginSettings() function. This makes it possible for unauthenticated attackers to make changes to plugin settings and clear up all the error logs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
404-error-monitor
No known fix

References

CVE
CVE-2024-11118
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5ba7a54d-3497-4788-aa73-081d2c1015fc

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
5bc958c9-1298-46ce-be81-329292c12402

Timeline

Publicly Published
2024-11-15 (about 1 year ago)
Added
2024-11-15 (about 1 year ago)
Last Updated
2024-11-16 (about 1 year ago)

Other

Published
Title
Published
2023-07-17
Title
WooCommerce Order Barcodes < 1.6.5 - Cross-Site Request Forgery
Published
2024-04-11
Title
Responsive Contact Form Builder & Lead Generation Plugin < 1.9.0 - Missing Authorization
Published
2024-09-10
Title
EKC Tournament Manager < 2.2.2 - Create Tournaments/Teams via CSRF
Published
2023-09-05
Title
WP Gallery Metabox <= 1.0.0 - Settings Update via CSRF
Published
2023-09-04
Title
Hide Admin Notices < 2.3.3 - Settings Update via CSRF