Themes Vulnerabilities

Himer - Social Questions and Answers < 2.1.3 - CSRF While Sending the Invites

Description

The theme lacks CSRF checks allowing a user to invite any user to any group (including private groups)

Proof of Concept

Affects Themes

himer
Fixed in 2.1.3

References

CVE
CVE-2024-2232
URL
http://hacksleep69.tech/
YouTube Video

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Sushmita Poudel
Submitter
Sushmita Poudel
Submitter website
https://susmitapoudel.com.np
Submitter twitter
poudelsushmita1
Verified
Yes
WPVDB ID
a2df28d3-bf03-4fd3-b231-86e062739899

Timeline

Publicly Published
2024-07-15 (about 1 year ago)
Added
2024-07-15 (about 1 year ago)
Last Updated
2025-08-21 (about 4 months ago)

Other

Published
Title
Published
2014-09-18
Title
Easy Forms for MailChimp 5.0.3 - classes/class.yksemeBase.php Multiple Actions CSRF
Published
2025-04-17
Title
bbPress2 shortcode whitelist <= 2.2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2022-02-01
Title
Easy Pricing Tables < 3.1.3 - Arbitrary Post Removal via CSRF
Published
2025-01-27
Title
Scroll Styler <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-03-24
Title
Pro Rank Tracker <= 1.0.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting