Pretty Links – Affiliate Links, Link Branding, Link Tracking & Marketing < 3.6.4 – Plugin Settings Update via CSRF | CVE 2024-2326 | Plugin Vulnerabilities

Description

The Pretty Links – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin is vulnerable to Cross-Site Request Forgery. This is due to missing or incorrect nonce validation when saving plugin settings. This makes it possible for unauthenticated attackers to change the plugin's configuration including stripe integration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Fixed in 3.6.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/97d78b4b-568e-43e7-bebf-091179c321f6

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Webbernaut

Verified

No

WPVDB ID

64917099-3668-4857-8c2d-1762bbdbf29c

Timeline

Publicly Published

2024-03-22 (about 2 years ago)

Added

2024-03-22 (about 2 years ago)

Last Updated

2024-03-22 (about 2 years ago)

Other

Published

Title

Published

2025-03-13

Title

InstaWP Connect – 1-click WP Staging & Migration < 0.1.0.84 - Cross-Site Request Forgery to Local File Inclusion

Published

2026-01-27

Title

Recooty <= 1.0.6 - Cross-Site Request Forgery to Settings Update

Published

2023-06-27

Title

Quiz Expert – Easy Quiz Maker, Exam and Test Manager <= 1.5.0 - Cross-Site Request Forgery

Published

2014-08-01

Title

Knews 1.2.5 - Multilingual Newsletters Cross-Site Request Forgery

Published

2024-06-28

Title

OnePress < 2.3.7 - Cross-Site Request Forgery via save_settings()