Woomotiv < 3.5.0 – Review Count Reset via CSRF | CVE 2024-1325

Description

The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the 'ajax_cancel_review' function. This makes it possible for unauthenticated attackers to reset the site's review count via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Proof of Concept

Make a logged in admin open https://example.com/wp-admin/admin-ajax.php?action=woomotiv_cancel_review

Affects Plugins

woomotiv

Fixed in 3.5.0

References

CVE

CVE-2024-1325

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ca1c1b43-def2-4f9f-b5c7-075ca188f6e7

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-352

CVSS

4.3 (medium)

Miscellaneous

Original Researcher

Francesco Carlucci

Verified

Yes

WPVDB ID

9dd1ad88-0952-4d15-ab03-f236ce396317

Timeline

Publicly Published

2024-03-19 (about 2 years ago)

Added

2024-03-19 (about 2 years ago)

Last Updated

2024-04-08 (about 2 years ago)

Other

Published

Title

Published

2025-08-15

Title

Last.fm Recent Album Artwork <= 1.0.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2024-07-01

Title

Ashe < 2.234 - Cross-Site Request Forgery to Notice Dismissal

Published

2025-10-16

Title

CloudSearch <= 3.0.0 - Cross-Site Request Forgery

Published

2025-09-02

Title

Floating Window Music Player <= 3.4.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2023-03-30

Title

Configurable Tag Cloud < 5.3 - Cross-Site Request Forgery