WordPress Plugin Vulnerabilities

Table of Contents Plus < 2411 - Cross-Site Request Forgery

Description

The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
table-of-contents-plus
Fixed in 2411

References

CVE
CVE-2024-49250
URL
https://patchstack.com/database/vulnerability/table-of-contents-plus/wordpress-table-of-contents-plus-plugin-2408-cross-site-request-forgery-csrf-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
d9b0b675-749c-40fe-82cd-e150ccb03033

Timeline

Publicly Published
2024-10-14 (about 1 year ago)
Added
2024-10-18 (about 1 year ago)
Last Updated
2025-02-28 (about 1 year ago)

Other

Published
Title
Published
2025-05-07
Title
Awin – Advertiser Tracking for WooCommerce < 2.0.1 - Product Feed Generation via CSRF
Published
2024-05-29
Title
WP To Do <= 1.3.0 - Cross-Site Request Forgery via wptodo_addcomment
Published
2025-06-27
Title
Image Cleanup <= 1.9.2 - Cross-Site Request Forgery
Published
2026-02-18
Title
NewsBlogger 0.2.5.6 - 0.2.5.9 - Arbitrary Plugin Installation via CSRF
Published
2025-01-16
Title
Category Custom Fields <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting