WordPress Plugin Vulnerabilities

Change default login logo,url and title <= 2.0 - Cross-Site Request Forgery

Description

The Change default login logo,url and title plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0. This is due to missing or incorrect nonce. This makes it possible for unauthenticated attackers to perform an unauthorized action and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
change-default-login-logo-url-and-title
No known fix

References

CVE
CVE-2024-31086
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9c935ec2-c51e-4760-bccc-3a6988bd4262

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Dimas Maulana
Verified
No
WPVDB ID
d445112e-8ed4-4135-872d-d72c8f61ef77

Timeline

Publicly Published
2024-03-29 (about 2 years ago)
Added
2024-04-03 (about 2 years ago)
Last Updated
2024-04-03 (about 2 years ago)

Other

Published
Title
Published
2023-01-27
Title
Conditional Shipping for WooCommerce < 2.3.2 - Ruleset Toggle via CSRF
Published
2024-04-12
Title
eCommerce Product Catalog < 3.3.29 - Cross-Site Request Forgery
Published
2025-03-24
Title
WordPres 同步微博 <= 1.1.0 - Cross-Site Request Forgery
Published
2023-12-27
Title
Spam protection, AntiSpam, FireWall by CleanTalk < 6.21 - Email Update via CSRF
Published
2025-01-08
Title
Woocommerce check pincode/zipcode for shipping <= 2.0.4 - Cross-Site Request Forgery to Reflected Cross-Site Scripting