WordPress Plugin Vulnerabilities

1 click disable all < 1.0.2 - Plugins Deactivation via CSRF

Description

The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation, allowing unauthenticated attackers to deactivate all plugins via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
first-graders-toolbox
Fixed in 1.0.2

References

CVE
CVE-2024-21749
URL
https://patchstack.com/database/vulnerability/first-graders-toolbox/wordpress-1-click-disable-all-plugin-1-0-1-cross-site-request-forgery-csrf-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Veerla Saikumar
Verified
No
WPVDB ID
d1173f26-b4ea-4902-9af4-101ccef315b5

Timeline

Publicly Published
2023-12-05 (about 2 years ago)
Added
2024-01-12 (about 2 years ago)
Last Updated
2024-03-11 (about 2 years ago)

Other

Published
Title
Published
2025-02-24
Title
Just Variables <= 1.2.3 - Cross-Site Request Forgery
Published
2014-08-01
Title
Disable Comments 1.0.3 - disable_comments_settings.php Comment Status Manipulation CSRF
Published
2025-02-03
Title
OneStore Sites <= 0.1.1 - Cross-Site Request Forgery to Arbitrary Plugin Installation
Published
2024-03-01
Title
Complianz – GDPR/CCPA Cookie Consent < 7.0.0 - Cross-Site Request Forgery to Data Request Deletion
Published
2023-11-21
Title
UserPro < 5.1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via userpro_save_userdata