CVE-2024-8795

Cross-Site Request Forgery (CSRF) (CWE-352)

Published: Sep 24, 2024 / Updated: 57d ago

010
CVSS 8.8EPSS 0.05%High
CVE info copied to clipboard

Summary

The BA Book Everything plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 1.6.20. This vulnerability stems from missing or incorrect nonce validation in the my_account_update() function. As a result, unauthenticated attackers can potentially update a user's account details through a forged request, provided they can deceive a site administrator into performing an action such as clicking on a malicious link.

Impact

The impact of this vulnerability is severe, with a CVSS v3.1 base score of 8.8 (High). Successful exploitation could lead to: 1. Unauthorized account access: Attackers can reset a user's password, potentially gaining full access to their account. 2. Data breach: With access to user accounts, sensitive information could be compromised. 3. Privilege escalation: If an attacker gains access to an administrator account, they could potentially take control of the entire WordPress site. 4. Reputational damage: Compromised user accounts could lead to loss of trust in the website or organization. It's important to note that while the attack requires user interaction (such as an administrator clicking a malicious link), it can be executed by an unauthenticated attacker from the network, increasing its potential reach and severity.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available for this vulnerability. The issue has been addressed in version 1.6.21 of the BA Book Everything plugin for WordPress. Website administrators should update to this version or later as soon as possible to mitigate the risk.

Mitigation

To mitigate this vulnerability, consider the following recommendations: 1. Update immediately: Upgrade the BA Book Everything plugin to version 1.6.21 or later. 2. Implement strong authentication: Use multi-factor authentication for administrator accounts to reduce the risk of unauthorized access. 3. User awareness: Educate administrators and users about the risks of clicking on suspicious links, especially when logged into the WordPress dashboard. 4. Regular security audits: Conduct periodic reviews of installed plugins and their versions to ensure they are up-to-date and free from known vulnerabilities. 5. Web Application Firewall (WAF): Consider implementing a WAF that can help detect and block CSRF attacks. 6. Principle of least privilege: Ensure that user accounts have only the necessary permissions required for their roles. Given the high severity score and the potential for significant impact, addressing this vulnerability should be prioritized in your patching and remediation efforts.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-8795

Sep 24, 2024 at 2:15 AM
First Article

Feedly found the first article mentioning CVE-2024-8795. See article

Sep 24, 2024 at 2:21 AM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as LOW

Sep 24, 2024 at 2:21 AM
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Sep 24, 2024 at 2:31 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (152231)

Sep 24, 2024 at 7:53 AM
EPSS

EPSS Score was set to: 0.05% (Percentile: 22.7%)

Sep 24, 2024 at 9:33 AM
Static CVE Timeline Graph

Affected Systems

Ba-booking/ba_book_everything
+null more

Patches

plugins.trac.wordpress.org
+null more

Attack Patterns

CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)
+null more

News

Web Application Detections Published in September 2024
In September, Qualys released QIDs targeting vulnerabilities in several widely-used software products, including WordPress, Tiki Wiki CMS, Apache HTTP Server, XWiki, Apache OFBiz, Lunary-ai, GitLab, Adobe ColdFusion, Moodle CMS, Zimbra, JBoss EAP, Kibana, Drupal, Ivanti Endpoint Manager (EPM), Apache Tomcat, Joomla!, Nginx, Open Secure Sockets Layer (OpenSSL). Customers can get more details about the following QIDs in our knowledge base. Customers should review their reports for these detections. If any of the following are reported against their applications scanned, customers should follow the steps mentioned in the solution to ensure their systems are protected against the identified vulnerabilities. QID Title 152148 WordPress WPML Plugin: Remote Code Execution Vulnerability (CVE-2024-6386) 152150 WordPress Bit Form Plugin: SQL Injection Vulnerability (CVE-2024-7702) 152151 WordPress Bit Form Plugin: Arbitrary File Read And Delete Vulnerability (CVE-2024-7777) 152157 WordPress LiquidPoll Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-7134) 152158 WordPress GEO my WP Plugin: Local File Inclusion Vulnerability (CVE-2024-6330) 152159 WordPress AI Engine Plugin:
CVE Alert: CVE-2024-8795 - https://www. redpacketsecurity.com/cve_aler t_cve-2024-8795/ # OSINT # ThreatIntel # CyberSecurity # cve_2024_8795
Security Bulletin 25 Sep 2024 - Cyber Security Agency of Singapore
CVE-2024-9014, pgAdmin versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. This vulnerability allows an attacker to ...
CVE-2024-8795
This makes it possible for unauthenticated attackers to update a user's account details via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Gravedad 3.1 (CVSS 3.1 Base Score)
BA Book Everything <= 1.6.20 - Cross-Site Request Forgery to Email Address Update/Account Takeover
Bookingalgorithms - HIGH - CVE-2024-8795 The BA Book Everything plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.20. This is due to missing or incorrect nonce validation on the my_account_update() function. This makes it possible for unauthenticated attackers to update a user's account details via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This can be leveraged to reset a user's password and gain access to their account.
See 6 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI