Login With Ajax < 4.2 – Cross-Site Request Forgery to Notice Dismissal | CVE 2024-30546 | Plugin Vulnerabilities

Description

The Login With Ajax plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.1. This is due to missing or incorrect nonce validation on the dismiss_admin_notice() function. This makes it possible for unauthenticated attackers to dismiss notices via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

login-with-ajax

Fixed in 4.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ec29e5fc-5635-4809-9bb5-cd28f7fac17e

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Dhabaleshwar Das

Verified

No

WPVDB ID

fb6f3986-a504-47a8-b1c8-703a1b746a0a

Timeline

Publicly Published

2024-04-10 (about 2 years ago)

Added

2024-04-16 (about 2 years ago)

Last Updated

2024-04-16 (about 2 years ago)

Other

Published

Title

Published

2025-08-14

Title

flexo-social-gallery <= 1.0006 - Cross-Site Request Forgery

Published

2019-06-03

Title

WP Google Maps <= 7.11.27 - Admin Settings CSRF

Published

2023-12-22

Title

Anti Hacker < 4.35 - Cross-Site Request Forgery via antihacker_ajax_scan

Published

2025-02-21

Title

A1POST.BG Shipping for WooCommerce < 1.5.1 - Privilege Escalation via CSRF

Published

2021-07-21

Title

NewsPlugin < 1.1.0 - CSRF to Stored Cross-Site Scripting