CVE-2024-8200
Cross-Site Request Forgery (CSRF) (CWE-352)
Summary
The Reviews Feed – Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This vulnerability is due to missing or incorrect nonce validation on the 'update_api_key' function. It allows unauthenticated attackers to update an API key via a forged request if they can trick a site administrator into performing an action such as clicking on a link.
Impact
If exploited, this vulnerability could allow attackers to update API keys without proper authorization. This could potentially lead to unauthorized access to third-party services integrated with the plugin, such as Google Reviews, Yelp, or TripAdvisor. The attacker might be able to manipulate or compromise the integrity of the reviews displayed on the affected WordPress site. While the direct confidentiality impact is rated as none and the availability impact is also none, there is a low integrity impact, which could affect the trustworthiness of the displayed reviews and potentially damage the site's reputation.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
A patch is available. The vulnerability has been addressed in version 1.2.0 of the Reviews Feed plugin. Site administrators should update to this version or later to mitigate the vulnerability.
Mitigation
1. Update the Reviews Feed plugin to version 1.2.0 or later immediately. 2. Educate site administrators about the risks of clicking on unknown links, especially when logged into the WordPress dashboard. 3. Implement additional security measures such as Web Application Firewalls (WAF) to help detect and prevent CSRF attacks. 4. Regularly review and audit API keys and their permissions for any unauthorized changes. 5. Consider implementing additional authentication mechanisms for sensitive operations within the WordPress admin area.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Timeline
Feedly found the first article mentioning CVE-2024-8200. See article
Feedly estimated the CVSS score as MEDIUM
Feedly estimated the CVSS score as HIGH
EPSS Score was set to: 0.05% (Percentile: 21.3%)