FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-8476

Cross-Site Request Forgery (CSRF) (CWE-352)

Published: Sep 25, 2024 / Updated: 56d ago

010
CVSS 4.3EPSS 0.05%Medium
CVE info copied to clipboard

Summary

The Easy PayPal Events plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 1.2.1. This vulnerability is due to missing or incorrect nonce validation on the wpeevent_plugin_buttons() function. It allows unauthenticated attackers to delete arbitrary posts via a forged request, provided they can trick a site administrator into performing an action such as clicking on a link.

Impact

The impact of this vulnerability is primarily on the integrity of the WordPress site using the affected plugin. Attackers can potentially delete arbitrary posts, which could lead to loss of content and disruption of the website's functionality. The attack requires user interaction, as the attacker needs to trick a site administrator into clicking a malicious link. There is no direct impact on confidentiality or availability of the system.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been fixed in version 1.2.2 of the Easy PayPal Events plugin. The patch was added on October 2, 2024, and can be found in the WordPress plugin repository.

Mitigation

To mitigate this vulnerability, the following steps are recommended: 1. Update the Easy PayPal Events plugin to version 1.2.2 or later, which includes the patch for this vulnerability. 2. If immediate updating is not possible, consider temporarily disabling the Easy PayPal Events plugin until it can be updated. 3. Educate site administrators about the risks of clicking on unknown links, especially when logged into the WordPress admin panel. 4. Implement general security best practices such as using strong, unique passwords and enabling two-factor authentication for WordPress admin accounts. 5. Regularly backup your WordPress site to ensure quick recovery in case of any successful attacks.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-8476. See article

Sep 24, 2024 at 3:52 PM / VulDB Recent Entries
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 24, 2024 at 3:53 PM
CVE Assignment

NVD published the first details for CVE-2024-8476

Sep 25, 2024 at 3:15 AM
CVSS

A CVSS base score of 4.3 has been assigned.

Sep 25, 2024 at 3:15 AM / nvd
CVSS Estimate

Feedly estimated the CVSS score as LOW

Sep 25, 2024 at 3:36 AM
EPSS

EPSS Score was set to: 0.05% (Percentile: 21%)

Sep 25, 2024 at 9:39 AM
Static CVE Timeline Graph

Affected Systems

Wpplugin/easy_paypal_events
+null more

Patches

plugins.trac.wordpress.org
+null more

Attack Patterns

CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)
+null more

News

Update Thu Oct 10 14:37:03 UTC 2024
Recent Commits to cve:main / 40d
Update Thu Oct 10 14:37:03 UTC 2024
CVE-2024-8476
Updated CVEs from Tenable / 55d
Medium Severity Description The Easy PayPal Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on the wpeevent_plugin_buttons() function. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Read more at https://www.tenable.com/cve/CVE-2024-8476
Medium - CVE-2024-8476 - The Easy PayPal Events plugin for WordPress is...
Security-Database Alerts Monitor : Last 100 Alerts / 55d
The Easy PayPal Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on the...
null
55d
- MEDIUM - CVE-2024-8476 The Easy PayPal Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on the wpeevent_plugin_buttons() function. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2024-8476 - PayPal Events WordPress Cross-Site Request Forgery Vulnerability
Latest Vulnerabilities / 56d
CVE ID : CVE-2024-8476 Published : Sept. 25, 2024, 3:15 a.m. 19 minutes ago Description : The Easy PayPal Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on the wpeevent_plugin_buttons() function. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Severity:
See 5 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:None
Integrity:Low
Availability Impact:None

Categories

CVSS 4.3(21798)CWE-352(6421)Wpplugin(11)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial