WordPress Plugin Vulnerabilities

Ultimate Maps by Supsystic < 1.2.17 - Cross-Site Request Forgery

Description

The Ultimate Maps by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.16. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
ultimate-maps-by-supsystic
Fixed in 1.2.17

References

CVE
CVE-2024-31271
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/3b4108b7-fa78-4f1f-9eee-0e2383b4988c

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Steven Julian
Verified
No
WPVDB ID
643ce8a6-bb04-4699-97e7-e7116f7885cc

Timeline

Publicly Published
2024-04-05 (about 2 years ago)
Added
2024-04-11 (about 2 years ago)
Last Updated
2024-04-11 (about 2 years ago)

Other

Published
Title
Published
2021-10-05
Title
Two Way Chat < 3.1.5 - Multiple CSRF
Published
2022-02-07
Title
WordPress Real Cookie Banner < 2.14.2 - Settings Reset via CSRF
Published
2025-03-19
Title
WP MultiTasking <= 0.1.12 - Header/Footer/Body Script Update via CSRF
Published
2025-10-15
Title
Ally - Web Accessibility & Usability < 3.8.1 - Cross-Site Request Forgery to Plugin Settings Update
Published
2026-06-05
Title
LatePoint < 5.6.1 - Cross-Site Request Forgery via invoices__change_status Action