Exploit
CVE-2024-6244

Cross-Site Request Forgery (CSRF) (CWE-352)

Published: Jul 22, 2024 / Updated: 4mo ago

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

The PZ Frontend Manager WordPress plugin before version 1.0.6 lacks CSRF checks in some areas, potentially allowing attackers to make logged-in users perform unwanted actions through CSRF attacks.

Impact

This vulnerability could allow attackers to trick logged-in users into performing unintended actions on the WordPress site without their knowledge or consent. These actions could include modifying site settings, creating or deleting content, or potentially even elevating privileges, depending on the specific functionalities of the PZ Frontend Manager plugin. The vulnerability has a CVSS v3.1 base score of 8.8, indicating a high severity level. It affects the confidentiality, integrity, and availability of the system, all with high impact.

Exploitation

One proof-of-concept exploit is available on wpscan.com. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability is fixed in version 1.0.6 of the PZ Frontend Manager WordPress plugin.

Mitigation

1. Update the PZ Frontend Manager WordPress plugin to version 1.0.6 or later immediately. 2. If immediate updating is not possible, consider temporarily disabling the PZ Frontend Manager plugin until it can be updated. 3. Implement general web security best practices, such as using up-to-date browsers with anti-CSRF features and educating users about the risks of clicking on unknown links. 4. Monitor WordPress admin activities for any suspicious actions that could indicate exploitation of this vulnerability.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-6244

Jul 22, 2024 at 6:15 AM
First Article

Feedly found the first article mentioning CVE-2024-6244. See article

Jul 22, 2024 at 6:22 AM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jul 22, 2024 at 6:22 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.3%)

Jul 22, 2024 at 9:23 AM
Trending

This CVE started to trend in security discussions

Jul 22, 2024 at 11:53 AM
Trending

This CVE stopped trending in security discussions

Jul 23, 2024 at 7:12 PM
CVSS

A CVSS base score of 8.8 has been assigned.

Jul 25, 2024 at 3:20 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Jul 25, 2024 at 5:10 PM
Static CVE Timeline Graph

Affected Systems

Projectzealous/pz_frontend_manager
+null more

Exploits

https://wpscan.com/vulnerability/73ba55a5-6cff-40fc-9686-30c50f060732/
+null more

Attack Patterns

CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)
+null more

News

Vulnerability Summary for the Week of July 22, 2024
Vulnerability Summary for the Week of July 22, 2024 bjackson Jul 29, 2024 High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info 202ecommerce--paypal In the module "PayPal Official" for PrestaShop 7+ releases prior to version 6.4.2 and for PrestaShop 1.6 releases prior to version 3.18.1, a malicious customer can confirm an order even if payment is finally declined by PayPal. A logical weakness during the capture of a payment in case of disabled webhooks can be exploited to create an accepted order. This could allow a threat actor to confirm an order with a fraudulent payment support. Versions 6.4.2 and 3.18.1 contain a patch for the issue. Additionally, users enable webhooks and check they are callable. 2024-07-26 7.5 CVE-2024-41670 security-advisories@github.com ABB--Advant MOD 300 AdvaBuild AdvaBuild uses a command queue to launch certain operations. An attacker who gains access to the command queue can use it to launch an attack by running any executable on the AdvaBuild node. The executables that can be run are not limited to AdvaBuild specific executables. Improper Privilege Management vulnerability in ABB Advant MOD 300 AdvaBuild.This issue affects Advant MOD 300 AdvaBuild: from 3.0 through 3.7 SP2. 2024-07-23 8.8 CVE-2020-11640 cybersecurity@ch.abb.com ABB--Advant MOD 300 AdvaBuild An attacker could exploit the vulnerability by injecting garbage data or specially crafted data.
CVE-2024-6244 Exploit
CVE Id : CVE-2024-6244 Published Date: 2024-07-25T15:15:00+00:00 The PZ Frontend Manager WordPress plugin before 1.0.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks inTheWild added a link to an exploit: https://wpscan.com/vulnerability/73ba55a5-6cff-40fc-9686-30c50f060732/
Update Tue Jul 23 14:35:20 UTC 2024
Update Tue Jul 23 14:35:20 UTC 2024
CVE-2024-6244
Medium Severity Description The PZ Frontend Manager WordPress plugin before 1.0.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks Read more at https://www.tenable.com/cve/CVE-2024-6244
NA - CVE-2024-6244 - The PZ Frontend Manager WordPress plugin before...
Cvss vector : Cvss Base Score N/A Attack Range N/A Cvss Impact Score N/A Attack Complexity N/A Cvss Expoit Score N/A Authentication N/A Calculate full CVSS 2.0 Vectors scores Cvss vector : N/A Overall CVSS Score NA Base Score NA Environmental Score NA impact SubScore NA Temporal Score NA Exploitabality Sub Score NA Calculate full CVSS 3.0 Vectors scores
See 7 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI