CVE-2024-7420
Cross-Site Request Forgery (CSRF) (CWE-352)
Summary
The Insert PHP Code Snippet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.6. This is due to missing or incorrect nonce validation in the /admin/snippets.php file. This makes it possible for unauthenticated attackers to activate/deactivate and delete code snippets via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Impact
This vulnerability allows unauthenticated attackers to manipulate code snippets on a WordPress site by tricking an administrator into performing certain actions. The potential impacts include: 1. Activation of malicious code snippets, which could lead to unauthorized code execution on the website. 2. Deactivation of important security-related code snippets, potentially weakening the site's defenses. 3. Deletion of crucial code snippets, which might disrupt site functionality or remove important features. The CVSS v3.1 base score is 6.5 (High), with high integrity impact but no confidentiality or availability impact. The attack vector is network-based, requires low attack complexity, and needs user interaction.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
A patch is available. The vulnerability has been fixed in version 1.3.7 of the Insert PHP Code Snippet plugin for WordPress. Users should update to this version or later to mitigate the vulnerability.
Mitigation
1. Update the Insert PHP Code Snippet plugin to version 1.3.7 or later immediately. 2. If immediate updating is not possible, consider temporarily disabling the plugin until it can be updated. 3. Educate administrators about the risks of clicking on unknown links, especially when logged into the WordPress dashboard. 4. Implement additional security measures such as Web Application Firewalls (WAF) that can help detect and prevent CSRF attacks. 5. Regularly review and audit installed plugins, removing any that are unnecessary or no longer maintained. 6. Implement the principle of least privilege for WordPress user roles to minimize the impact of potential CSRF attacks.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Timeline
Feedly found the first article mentioning CVE-2024-7420. See article
Feedly estimated the CVSS score as HIGH
A CVSS base score of 6.5 has been assigned.