Themify Builder < 7.0.6 – Cross-Site Request Forgery | CVE 2024-24872 | Plugin Vulnerabilities

Description

The Themify Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 7.0.5. This is due to missing or incorrect nonce validation on the cache_menu() function. This makes it possible for unauthenticated attackers to clear cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

themify-builder

Fixed in 7.0.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/6840c91f-a5d9-4940-8a08-d62acc5d43eb

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Dhabaleshwar Das

Verified

No

WPVDB ID

763dbc3d-d15c-4408-89bb-7ab736cc7ff6

Timeline

Publicly Published

2024-02-05 (about 2 years ago)

Added

2024-02-08 (about 2 years ago)

Last Updated

2024-02-08 (about 2 years ago)

Other

Published

Title

Published

2025-01-06

Title

ThePerfectWedding.nl Widget < 2.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-12-22

Title

Premium Addons for Elementor < 4.11.54 - Arbitrary Template Creation via CSRF

Published

2023-07-27

Title

Multiple Plugins from Inisev - Plugin Installation via CSRF

Published

2022-09-30

Title

Media Library Folders < 7.1.2 - Plugin Reset via CSRF

Published

2024-07-06

Title

Leaky Paywall < 4.21.3 - Cross-Site Request Forgery