Post Views Counter < 1.4.5 – Cross-Site Request Forgery via save_bulk_post_views() | CVE 2024-31264 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.4. This is due to missing or incorrect nonce validation on the save_bulk_post_views() function. This makes it possible for unauthenticated attackers to save bulk post views via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

post-views-counter

Fixed in 1.4.5

References

CVE

URL

https://patchstack.com/database/vulnerability/post-views-counter/wordpress-post-views-counter-plugin-1-4-4-cross-site-request-forgery-csrf-vulnerability

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Brandon James Roldan (tomorrowisnew)

Verified

No

WPVDB ID

f999eaa3-d447-4cba-a1b4-2dc2eab4c094

Timeline

Publicly Published

2024-04-05 (about 2 years ago)

Added

2024-04-12 (about 2 years ago)

Last Updated

2024-04-12 (about 2 years ago)

Other

Published

Title

Published

2023-02-28

Title

Free WooCommerce Theme 99fy Extension < 1.2.8 - Arbitrary Plugin Activation via CSRF

Published

2023-11-27

Title

Delete Post Revisions In WordPress <= 4.6 - Cross-Site Request Forgery

Published

2025-05-19

Title

Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP < 6.2.5 - Cross-Site Request Forgery

Published

2021-10-05

Title

Two Way Chat < 3.1.5 - Multiple CSRF

Published

2025-04-24

Title

Loan Calculator <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting