WordPress Plugin Vulnerabilities

Fence URL <= 2.0.0 - Cross-Site Request Forgery to Cross-Site Scripting

Description

The Fence URL wp-login.php plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
fence-url
No known fix

References

CVE
CVE-2024-53733
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/eeac5489-7eba-43b6-b7fb-1ce062285948

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
SOPROBRO
Verified
No
WPVDB ID
79f7df67-0a23-4c69-b2f1-e72eb3f39dd8

Timeline

Publicly Published
2024-11-23 (about 1 year ago)
Added
2024-11-26 (about 1 year ago)
Last Updated
2024-11-26 (about 1 year ago)

Other

Published
Title
Published
2024-11-01
Title
Simple Page Specific Sidebars <= 2.14.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2021-07-05
Title
Locations < 4.0 - Cross-Site Request Forgery
Published
2023-10-16
Title
WP Open Street Map < 1.30 - Arbitrary Settings Update via CSRF
Published
2025-01-24
Title
WP Go Maps < 9.0.41 - Cross-Site Request Forgery
Published
2025-05-19
Title
reCAPTCHA for all < 2.27 - Cross-Site Request Forgery