WordPress Plugin Vulnerabilities

Swift Performance Lite < 2.3.6.21 - Cross-Site Request Forgery

Description

The Swift Performance Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.6.20. This is due to missing or incorrect nonce validation on the navigate() function. This makes it possible for unauthenticated attackers to activate a plugin and dismiss an admin notice via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
swift-performance-lite
Fixed in 2.3.6.21

References

CVE
CVE-2024-37511
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6fb79409-441a-4991-bc0d-c0f46eb72bb9

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Dhabaleshwar Das
Verified
No
WPVDB ID
f080bb8d-0c05-4b19-b768-c847ae7a4fae

Timeline

Publicly Published
2024-07-05 (about 1 year ago)
Added
2024-07-10 (about 1 year ago)
Last Updated
2024-07-10 (about 1 year ago)

Other

Published
Title
Published
2023-04-06
Title
PHP Compatibility Checker < 1.6.0 - Cross-Site Request Forgery
Published
2014-08-01
Title
CMS Tree Page View 1.2.4 - Page Creation CSRF
Published
2023-11-13
Title
Funnelforms Free < 3.4.2 - Form Deletion/Duplication via CSRF
Published
2025-02-17
Title
Mortgage Lead Capture System < 8.3.1 - Cross-Site Request Forgery to Settings Reset
Published
2025-01-24
Title
ReviewsTap < 1.1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting