WordPress Plugin Vulnerabilities

WP Matterport Shortcode < 2.2.0 - Cross-Site Request Forgery

Description

The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to perform an unknown action granted they can trick a site administrator into performing an action such as clicking on a link. The impact of this vulnerability is unknown.

Affects Plugins

Plugin icon
shortcode-gallery-for-matterport-showcase
Fixed in 2.2.0

References

CVE
CVE-2024-32109
URL
https://patchstack.com/database/vulnerability/shortcode-gallery-for-matterport-showcase/wordpress-wp-matterport-shortcode-plugin-2-1-8-cross-site-request-forgery-csrf-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Nguyen Xuan Chien
Verified
No
WPVDB ID
a7947bc9-abea-4055-b418-a91360f3d5f2

Timeline

Publicly Published
2024-04-11 (about 2 years ago)
Added
2024-04-16 (about 2 years ago)
Last Updated
2024-04-29 (about 2 years ago)

Other

Published
Title
Published
2023-03-16
Title
Event Manager for WooCommerce < 3.7.8 - Cross-Site Request Forgery (CSRF)
Published
2024-03-28
Title
WordPress Meta Data and Taxonomies Filter (MDTF) < 1.3.3.2 - Cross-Site Request Forgery
Published
2026-01-23
Title
WP Youtube Video Gallery <= 1.0 - Cross-Site Request Forgery to Plugin Settings Update
Published
2021-06-30
Title
Instantio < 1.2.6 - CSRF Bypass
Published
2023-11-12
Title
Mobile Banner < 1.6 - CSRF