JobScout < 1.1.5 – Cross-Site Request Forgery to Notice Dimissal | CVE 2024-37421 | Theme Vulnerabilities

Description

The JobScout theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.4. This is due to missing or incorrect nonce validation on the jobscout_update_admin_notice() function. This makes it possible for unauthenticated attackers to dismiss notices via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Themes

Fixed in 1.1.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c63e7dbb-af56-47b9-8206-5bef96754a38

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Dhabaleshwar Das

Verified

No

WPVDB ID

9ced7179-d292-4997-8402-895bc0304a62

Timeline

Publicly Published

2024-06-28 (about 1 year ago)

Added

2024-07-03 (about 1 year ago)

Last Updated

2024-07-03 (about 1 year ago)

Other

Published

Title

Published

2024-11-28

Title

DancePress (TRWA) <= 3.1.11 - Cross-Site Request Forgery

Published

2025-01-16

Title

DF Draggable <= 1.13.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2022-09-30

Title

Media Library Folders < 7.1.2 - Plugin Reset via CSRF

Published

2014-08-01

Title

FunCaptcha 0.3.2- Setting Manipulation CSRF

Published

2026-02-18

Title

Whatsiplus Scheduled Notification for Woocommerce <= 1.0.1 - Cross-Site Request Forgery to 'wsnfw_save_users_settings' AJAX Action