TinyPNG < 3.4.4 – Cross-Site Request Forgery | CVE 2024-47635 | Plugin Vulnerabilities

Description

The TinyPNG plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.3. This is due to missing or incorrect nonce validation on the update_api_key() function and other functions. This makes it possible for unauthenticated attackers to update settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

tiny-compress-images

Fixed in 3.4.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/9e44d85d-6bde-4194-8f33-5db6dacf544c

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Verified

No

WPVDB ID

d53acb1e-d810-4c88-b5a1-c564368b1e59

Timeline

Publicly Published

2024-09-30 (about 1 year ago)

Added

2024-10-10 (about 1 year ago)

Last Updated

2024-10-10 (about 1 year ago)

Other

Published

Title

Published

2024-10-14

Title

Social Auto Poster < 5.3.16 - Cross-Site Request Forgery

Published

2023-11-14

Title

Welcart e-Commerce < 2.9.5 - Cross-Site Request Forgery

Published

2025-08-27

Title

Simple Page Access Restriction < 1.0.33 - Cross-Site Request Forgery

Published

2024-03-01

Title

Complianz – GDPR/CCPA Cookie Consent < 7.0.0 - Cross-Site Request Forgery to Data Request Deletion

Published

2025-09-22

Title

Double the Donation < 3.0.0 - Cross-Site Request Forgery