Tumult Hype Animations < 1.9.12 – Cross-Site Request Forgery to Cross-Site Scripting | CVE 2024-30461 | Plugin Vulnerabilities

Description

The Tumult Hype Animations plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.11. This is due to missing or incorrect nonce validation on the hypeanimations_updatecontainer() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVE-2024-30460 may be a duplicate of this issue.

Affects Plugins

tumult-hype-animations

Fixed in 1.9.12

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ee7408d2-3cff-4c80-bc07-b0418676e961

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Majed Refaea

Verified

No

WPVDB ID

c9cebcef-722e-4385-83bb-80306a4e5906

Timeline

Publicly Published

2024-03-28 (about 2 years ago)

Added

2024-04-04 (about 2 years ago)

Last Updated

2024-04-04 (about 2 years ago)

Other

Published

Title

Published

2024-11-18

Title

Infinite Slider <= 2.0.1 - Reflected Cross-Site Scripting

Published

2024-05-10

Title

Starter Templates — Elementor, WordPress & Beaver Builder Templates < 4.2.2 - Contributor+ Stored Cross-Site Scripting

Published

2021-06-28

Title

Awesome Weather Widget <= 3.0.2 - Reflected Cross-site Scripting (XSS)

Published

2024-03-29

Title

AI Twitter Feeds (Twitter widget & shortcode) <= 2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2022-05-17

Title

WP Athletics <= 1.1.7 - Subscriber+ Stored Cross-Site Scripting