CVE-2024-6751

Cross-Site Request Forgery (CSRF) (CWE-352)

Published: Jul 24, 2024 / Updated: 3mo ago

010
CVSS 6.5EPSS 0.05%Medium
CVE info copied to clipboard

Summary

The Social Auto Poster plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.3.14. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to add, modify, or delete post meta and plugin options.

Impact

This vulnerability allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users. Potential impacts include: 1. Unauthorized addition, modification, or deletion of post meta data. 2. Unauthorized changes to plugin options. 3. Potential for attackers to manipulate the content and functionality of the affected WordPress site. 4. Compromise of data integrity and potentially site operations.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is not explicitly mentioned in the provided information. However, given that the vulnerability affects versions up to and including 5.3.14 of the Social Auto Poster plugin, it's likely that updating to a version newer than 5.3.14 (if available) would address this vulnerability.

Mitigation

1. Update the Social Auto Poster plugin to a version newer than 5.3.14 if available. 2. If an update is not available, consider temporarily disabling the Social Auto Poster plugin until a patch is released. 3. Implement proper CSRF protection mechanisms, including correct nonce validation for all relevant functions. 4. Monitor WordPress and plugin logs for any suspicious activities. 5. Educate users about the risks of clicking on unknown links, especially when logged into the WordPress admin panel. 6. Consider implementing additional security measures such as Web Application Firewalls (WAF) to help mitigate CSRF attacks.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-6751. See article

Jul 24, 2024 at 2:48 AM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jul 24, 2024 at 2:49 AM
CVE Assignment

NVD published the first details for CVE-2024-6751

Jul 24, 2024 at 3:15 AM
CVSS

A CVSS base score of 6.3 has been assigned.

Jul 24, 2024 at 3:20 AM / nvd
Trending

This CVE started to trend in security discussions

Jul 24, 2024 at 8:37 AM
EPSS

EPSS Score was set to: 0.05% (Percentile: 17.4%)

Jul 24, 2024 at 9:39 AM
Trending

This CVE stopped trending in security discussions

Jul 26, 2024 at 1:10 PM
CVSS

A CVSS base score of 6.5 has been assigned.

Sep 3, 2024 at 9:40 PM / nvd
Static CVE Timeline Graph

Affected Systems

Wpwebinfotech/social_auto_poster
+null more

Attack Patterns

CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)
+null more

News

Wordfence Intelligence Weekly WordPress Vulnerability Report (July 22, 2024 to July 28, 2024)
Last week, there were 68 vulnerabilities disclosed in 51 WordPress Plugins and 2 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 28 Vulnerability Researchers that contributed to WordPress Security last week. WordPress Plugins with Reported Vulnerabilities Last Week
Medium - CVE-2024-6751 - The Social Auto Poster plugin for WordPress is...
The Social Auto Poster plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.3.14. This is due to missing or incorrect nonce validation on multiple...
Cross-Site Request Forgery vulnerability in Social Auto Poster plugin for WordPress
Social Auto Poster - MEDIUM - CVE-2024-6751 The Social Auto Poster plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.3.14. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to add, modify, or delete post meta and plugin options.
CVE-2024-6751
The Social Auto Poster plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.3.14. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to add, modify, or delete post meta and plugin...
CVE-2024-6751 - WordPress Social Auto Poster Cross-Site Request Forgery Vulnerability
CVE ID : CVE-2024-6751 Published : July 24, 2024, 3:15 a.m. 17 minutes ago Description : The Social Auto Poster plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.3.14. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to add, modify, or delete post meta and plugin options. Severity: 6.3
See 5 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:None
Integrity:High
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI