WordPress Plugin Vulnerabilities

Marketing Optimizer <= 20200925 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Description

The Marketing Optimizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20200925. This is due to missing or incorrect nonce validation via the admin/main-settings-page.php file. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
marketing-optimizer
No known fix

References

CVE
CVE-2024-1976
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b537637b-32c0-405e-94fa-c7c2d0c80658

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
suzuki kaito
Verified
No
WPVDB ID
9b697389-ff9e-47e8-9029-90c53b34465e

Timeline

Publicly Published
2024-02-28 (about 2 years ago)
Added
2024-02-28 (about 2 years ago)
Last Updated
2024-02-28 (about 2 years ago)

Other

Published
Title
Published
2025-09-10
Title
Admin in English with Switch <= 1.1 - Cross-Site Request Forgery
Published
2025-12-31
Title
Social Profilr <= 1.0 - Cross-Site Request Forgery
Published
2023-07-11
Title
LWS Cleaner < 2.3.1 - Cross-Site Request Forgery
Published
2023-11-09
Title
Simple Giveaways < 2.46.1 - CSRF
Published
2022-12-23
Title
Tickera < 3.5.1.0 - Plugin Data Deletion via CSRF