WordPress Plugin Vulnerabilities

W3SPEEDSTER < 7.20 - Settings Update via CSRF

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Affects Plugins

Plugin icon
w3speedster-wp
Fixed in 7.20

References

CVE
CVE-2024-24708
URL
https://patchstack.com/database/vulnerability/w3speedster-wp/wordpress-w3speedster-plugin-7-19-cross-site-request-forgery-csrf-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Nguyen Xuan Chien
Verified
No
WPVDB ID
d4077efa-e458-4bad-b999-81353f24e903

Timeline

Publicly Published
2024-01-31 (about 2 years ago)
Added
2024-02-05 (about 2 years ago)
Last Updated
2024-03-21 (about 2 years ago)

Other

Published
Title
Published
2021-04-14
Title
Fitness Calculators < 1.9.6 - Cross-Site Request Forgery to Cross-Site Scripting (XSS)
Published
2021-10-04
Title
Far Future Expiry Header < 1.5 - Plugin's Settings Update via CSRF
Published
2023-11-28
Title
MkRapel Regiones y Ciudades de Chile para WC <= 4.3.0 - Cross-Site Request Forgery via multiple functions
Published
2025-02-17
Title
SpeedSize Image & Video AI-Optimizer < 1.5.2 - Cross-Site Request Forgery to Clear Cache
Published
2022-10-28
Title
Ask Me < 6.8.7 - Post Deletion via CSRF