WordPress Plugin Vulnerabilities

Internal Link Juicer: SEO Auto Linker for WordPress < 2.24.4 - Cross-Site Request Forgery

Description

The Internal Link Juicer: SEO Auto Linker for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.24.3. This is due to missing or incorrect nonce validation on the ilj_rebuild_index and ilj_render_batch_info functions. This makes it possible for unauthenticated attackers to trigger these functions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
internal-links
Fixed in 2.24.4

References

CVE
CVE-2024-37941
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/eef7f964-8330-4c57-a5f4-0280853dcf76

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Dhabaleshwar Das
Verified
No
WPVDB ID
63fce98e-6d6f-4f4a-ab7d-5c5dbaa4d032

Timeline

Publicly Published
2024-07-09 (about 1 year ago)
Added
2024-07-15 (about 1 year ago)
Last Updated
2024-07-15 (about 1 year ago)

Other

Published
Title
Published
2023-07-11
Title
Shortcode IMDB <= 6.0.8 - Cross-Site Request Forgery
Published
2023-11-14
Title
Pz-LinkCard < 2.5.3 - Caching Management via CSRF
Published
2024-08-23
Title
Favicon Generator < 2.1 - Cross-Site Request Forgery to Arbitrary File Deletion
Published
2025-09-10
Title
Plugin updates blocker <= 0.2 - Cross-Site Request Forgery
Published
2023-01-18
Title
Custom 404 Pro < 3.7.2 - Logs Deletion via CSRF