WordPress Plugin Vulnerabilities

FreshMail For WordPress <= 2.3.2 - Cross-Site Request Forgery

Description

The FreshMail For WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.2. This is due to missing nonce validation function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
freshmail-integration
No known fix

References

CVE
CVE-2024-22304
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/10ffe689-143a-4232-8094-45844dc5262b

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Skalucy
Verified
No
WPVDB ID
96271b15-6723-4f19-86fc-cc2447b811bd

Timeline

Publicly Published
2024-01-17 (about 2 years ago)
Added
2024-01-24 (about 2 years ago)
Last Updated
2024-01-24 (about 2 years ago)

Other

Published
Title
Published
2024-12-18
Title
Wayne Audio Player <= 1.0 - Cross-Site Request Forgery to Privilege Escalation
Published
2022-08-25
Title
Access Code Feeder <= 1.0.3 - CSRF
Published
2024-04-11
Title
Float menu < 6.0.1 - Menu Deletion via CSRF
Published
2025-10-03
Title
Trinity Audio < 5.21.0 - Cross-Site Request Forgery
Published
2014-08-01
Title
Related Posts 2.7.1 - Cross-Site Request Forgery