WordPress Plugin Vulnerabilities

Watermark RELOADED < 1.4.0 - Cross-Site Request Forgery via optionsPage

Description

The Watermark RELOADED plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.5. This is due to missing or incorrect nonce validation on the 'optionsPage' function. This makes it possible for unauthenticated attackers to update plugin options, which includes the ability to inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
watermark-reloaded
Fixed in 1.4.0

References

CVE
CVE-2024-27195
URL
https://patchstack.com/database/wordpress/plugin/watermark-reloaded/vulnerability/wordpress-watermark-reloaded-plugin-1-3-5-csrf-to-xss-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.2 (high)

Miscellaneous

Original Researcher
Dimas Maulana
Verified
No
WPVDB ID
751d5d10-4626-4d71-acd7-acdf4c2a0b73

Timeline

Publicly Published
2024-02-26 (about 2 years ago)
Added
2024-02-28 (about 2 years ago)
Last Updated
2025-12-08 (about 3 months ago)

Other

Published
Title
Published
2014-08-01
Title
SexyBookmarks - Setting Manipulation CSRF
Published
2024-03-25
Title
Paid Memberships Pro < 3.0 - Cross-Site Request Forgery
Published
2025-09-05
Title
To Lead For Salesforce <= 2.7.3.9 - Cross-Site Request Forgery
Published
2025-03-27
Title
Custom Login Logo < 1.1.8 - Cross-Site Request Forgery
Published
2023-09-29
Title
Keap Landing Pages <= 1.4.2 - Settings Update via CSRF