CVE-2024-7501
Cross-Site Request Forgery (CSRF) (CWE-352)
Published: Aug 16, 2024 / Updated: 3mo ago
010
CVSS 4.2EPSS 0.05%Medium
CVE info copied to clipboard
The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.7. This is due to missing or incorrect nonce validation on the download_theme() function. This makes it possible for unauthenticated attackers to download arbitrary themes from the website via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. In versions prior to 1.8.6 it was possible to download the entire sites files.
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Timeline
First Article
Feedly found the first article mentioning CVE-2024-7501. See article
Aug 16, 2024 at 7:21 AM / National Vulnerability Database
CVSS Estimate
Feedly estimated the CVSS score as HIGH
Aug 16, 2024 at 7:21 AM
Affected Systems
Wordpress/wordpress
+null more
Attack Patterns
CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)
+null more
News
CVE-2024-7501
Medium Severity Description The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.7. This is due to missing or incorrect nonce validation on the download_theme() function. This makes it possible for unauthenticated attackers to download arbitrary themes from the website via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. In versions prior to 1.8.6 it was possible to download the entire sites files. Read more at https://www.tenable.com/cve/CVE-2024-7501
CVE-2024-7501
The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.7. Gravedad 3.1 (CVSS 3.1 Base Score)
cveNotify : 🚨 CVE-2024-7501The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.7. This is due to missing or incorrect nonce validation on the download_theme() function. This makes it possible for unauthenticated attackers to download arbitrary themes from the website via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. In versions prior to 1.8.6 it was possible to download the entire sites files.🎖@cveNotify
cveNotify : 🚨 CVE-2024-7501The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.7. This is due to missing or incorrect nonce validation on the download_theme() function. This makes it possible for unauthenticated attackers to download arbitrary themes from the website via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. In versions prior to 1.8.6 it was possible to download the entire sites files.🎖@cveNotify
CVE-2024-7501 | algoritmika Download Plugins and Themes in ZIP from Dashboard Plugin download_theme cross-site request forgery
A vulnerability was found in algoritmika Download Plugins and Themes in ZIP from Dashboard Plugin up to 1.8.7 on WordPress. It has been rated as problematic . This issue affects the function download_theme . The manipulation leads to cross-site request forgery. The identification of this vulnerability is CVE-2024-7501 . The attack may be initiated remotely. There is no exploit available.
CVE-2024-7501 - WordPress Download Plugins and Themes CSRF Vulnerability
CVE ID : CVE-2024-7501 Published : Aug. 16, 2024, 7:15 a.m. 16 minutes ago Description : The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.7. This is due to missing or incorrect nonce validation on the download_theme() function. This makes it possible for unauthenticated attackers to download arbitrary themes from the website via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. In versions prior to 1.8.6 it was possible to download the entire sites files.
See 5 more articles and social media posts