FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

Exploit
CVE-2024-7892

Cross-Site Request Forgery (CSRF) (CWE-352)

Published: Sep 25, 2024 / Updated: 55d ago

010
CVSS 4.3EPSS 0.04%Medium
CVE info copied to clipboard

Summary

The adstxt Plugin WordPress plugin through version 1.0.0 lacks a Cross-Site Request Forgery (CSRF) check when updating its settings. This vulnerability could allow attackers to manipulate the plugin's settings through a CSRF attack, potentially compromising the integrity of the WordPress site.

Impact

If exploited, this vulnerability could enable attackers to change the plugin's settings without the admin's knowledge or consent. This could lead to unauthorized modifications of the ads.txt file, potentially impacting the site's ad revenue or allowing malicious ads to be served. The integrity of the site's advertising setup could be compromised, though the confidentiality of data and overall availability of the site are not directly affected.

Exploitation

One proof-of-concept exploit is available on wpscan.com. There is no evidence of proof of exploitation at the moment.

Patch

As of the latest information provided, a patch is not explicitly mentioned. The vulnerability affects the adstxt Plugin WordPress plugin through version 1.0.0, suggesting that users should look for updates beyond this version or consider alternative solutions until a patched version is released.

Mitigation

To mitigate this vulnerability: 1. Update the adstxt Plugin to a version newer than 1.0.0 if available. 2. If an update is not available, consider temporarily disabling the plugin until a patch is released. 3. Implement additional security measures such as Web Application Firewalls (WAF) that can help protect against CSRF attacks. 4. Educate administrators about the risks of CSRF attacks and advise them to be cautious when clicking on unknown links while logged into the WordPress admin panel. 5. Regularly monitor the plugin's settings for any unauthorized changes. 6. Consider implementing additional CSRF protections at the WordPress level if possible.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Timeline

CVE Assignment

NVD published the first details for CVE-2024-7892

Sep 25, 2024 at 6:15 AM
First Article

Feedly found the first article mentioning CVE-2024-7892. See article

Sep 25, 2024 at 6:24 AM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Sep 25, 2024 at 6:24 AM
CVSS

A CVSS base score of 4.3 has been assigned.

Sep 25, 2024 at 2:40 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 7, 2024 at 7:11 PM
Static CVE Timeline Graph

Affected Systems

Vladyslavbondarenko/adstxt
+null more

Exploits

https://wpscan.com/vulnerability/c07a4992-c9a1-46a4-9a52-9e38b6d15440/
+null more

Attack Patterns

CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)
+null more

News

CVE-2024-7892 Exploit
inTheWild.io Exploits / 43d
CVE Id : CVE-2024-7892 Published Date: 2024-10-07T17:26:00+00:00 The adstxt Plugin WordPress plugin through 1.0.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack inTheWild added a link to an exploit: https://wpscan.com/vulnerability/c07a4992-c9a1-46a4-9a52-9e38b6d15440/
cveNotify : 🚨 CVE-2024-7892The adstxt Plugin WordPress plugin through 1.0.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack🎖@cveNotify
CTI Feeds - Cybercrime on Telegram / 43d
cveNotify : 🚨 CVE-2024-7892The adstxt Plugin WordPress plugin through 1.0.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack🎖@cveNotify
Update Wed Sep 25 14:35:02 UTC 2024
Recent Commits to cve:main / 55d
Update Wed Sep 25 14:35:02 UTC 2024
CVE-2024-7892
Updated CVEs from Tenable / 55d
Medium Severity Description The adstxt Plugin WordPress plugin through 1.0.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack Read more at https://www.tenable.com/cve/CVE-2024-7892
NA - CVE-2024-7892 - The adstxt Plugin WordPress plugin through...
Security-Database Alerts Monitor : Last 100 Alerts / 55d
The adstxt Plugin WordPress plugin through 1.0.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
See 5 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:None
Integrity:Low
Availability Impact:None

Categories

CVSS 4.3(21798)CWE-352(6421)Vladyslavbondarenko()

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial