WordPress Plugin Vulnerabilities

Automatic < 3.92.1 - Cross-Site Request Forgery to Privilege Escalation

Description

The Automatic plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.92.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to escalate their privileges via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
wp-automatic
Fixed in 3.92.1

References

CVE
CVE-2024-27955
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/12adf619-4be8-4ecf-8f67-284fc44d87d0

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
fa2f3687-7a5f-4781-8284-6fbea7fafd0e

Timeline

Publicly Published
2024-03-13 (about 2 years ago)
Added
2024-03-20 (about 2 years ago)
Last Updated
2024-03-20 (about 2 years ago)

Other

Published
Title
Published
2014-08-01
Title
Citizen Space 1.0 - Script Insertion CSRF
Published
2022-10-30
Title
Advanced Dynamic Pricing for WooCommerce < 4.1.6 - Rule Type Migration via CSRF
Published
2025-02-03
Title
Auto SEO < 2.6.6 - Stored XSS via CSRF
Published
2025-06-19
Title
WP Front User Submit / Front Editor <= 5.0.6 - Cross-Site Request Forgery
Published
2025-01-07
Title
TubePress.NET <= 4.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting