WordPress Plugin Vulnerabilities

Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio <= 3.6.4 - Cross-Site Request Forgery

Description

The Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.4. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to invoke those functions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
play-ht
No known fix

References

CVE
CVE-2024-0827
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/de112e5a-4b92-4389-8c6e-b2bfeb6f6cd4

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
65e9d23b-b13c-4a5a-aba2-47116f8871b1

Timeline

Publicly Published
2024-02-22 (about 2 years ago)
Added
2024-02-22 (about 2 years ago)
Last Updated
2024-02-22 (about 2 years ago)

Other

Published
Title
Published
2025-06-05
Title
Anti-Spam: Spam Protection < 2025 - Multiple Administrative Actions via CSRF
Published
2025-09-26
Title
HotelRunner Booking Widget <= 1.6 - Cross-Site Request Forgery
Published
2025-09-22
Title
WP Compiler <= 1.0.0 - Cross-Site Request Forgery
Published
2023-01-19
Title
WP Tabs Slides <= 2.0.3 - CSRF
Published
2021-06-30
Title
MZ MBO Access < 2.0.9 - Unauthorised AJAX call