Chic Lite < 1.1.4 – Cross-Site Request Forgery to Notice Dismissal | CVE 2024-37104 | Theme Vulnerabilities

Description

The Chic Lite theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3. This is due to missing or incorrect nonce validation on the chic_lite_update_admin_notice function. This makes it possible for unauthenticated attackers to to dismiss notices via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Themes

Fixed in 1.1.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/f9ab2d12-5ed0-472a-be96-723577b011aa

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Dhabaleshwar Das

Verified

No

WPVDB ID

f114241a-9187-4cde-b7cc-6b3d282710d1

Timeline

Publicly Published

2024-06-20 (about 1 year ago)

Added

2024-07-02 (about 1 year ago)

Last Updated

2024-07-02 (about 1 year ago)

Other

Published

Title

Published

2025-12-15

Title

Meks Quick Plugin Disabler <= 1.0 - Cross-Site Request Forgery

Published

2023-04-12

Title

ChatBot < 4.4.5 - Stored XSS via CSRF

Published

2025-06-05

Title

Atelier Create CV <= 1.1.5 - Settings Update via CSRF

Published

2023-10-24

Title

Quill Forms < 3.4.0 - Cross-Site Request Forgery

Published

2025-02-17

Title

Ecwid by Lightspeed Ecommerce Shopping Cart < 6.12.28 - Cross-Site Request Forgery to Send Deactivation Message