WordPress Comments Import & Export < 2.3.6 – Cross-Site Request Forgery | CVE 2024-31235 | Plugin Vulnerabilities

Description

The WordPress Comments Import & Export plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.5. This is due to missing or incorrect nonce validation on the do_export() function. This makes it possible for unauthenticated attackers to trigger an export via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

comments-import-export-woocommerce

Fixed in 2.3.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/9269c3e7-2495-4665-ad08-d6dcf659db21

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Dhabaleshwar Das

Verified

No

WPVDB ID

665d8503-5793-4b16-931e-be1b40021b3d

Timeline

Publicly Published

2024-04-05 (about 2 years ago)

Added

2024-04-11 (about 2 years ago)

Last Updated

2024-04-11 (about 2 years ago)

Other

Published

Title

Published

2023-10-06

Title

Schedule Posts Calendar < 5.3 - CSRF

Published

2025-12-31

Title

Email Capture < 3.12.6 - Cross-Site Request Forgery

Published

2022-10-10

Title

SeoSamba for WordPress Webmasters < 1.0.6 - Access Key Update via CSRF

Published

2025-05-19

Title

AWcode Toolkit < 1.0.19 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2023-04-07

Title

Comments Ratings < 1.1.7 - Cross-Site Request Forgery