CVE-2024-9351

Cross-Site Request Forgery (CSRF) (CWE-352)

Published: Oct 17, 2024 / Updated: 33d ago

010
CVSS 4.3EPSS 0.05%Medium
CVE info copied to clipboard

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.35.1. This is due to missing or incorrect nonce validation on the quiz 'create_module' function. This makes it possible for unauthenticated attackers to create draft quizzes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9351. See article

Oct 17, 2024 at 5:46 AM / CVE
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 17, 2024 at 5:47 AM
CVE Assignment

NVD published the first details for CVE-2024-9351

Oct 17, 2024 at 6:15 AM
CVSS

A CVSS base score of 4.3 has been assigned.

Oct 17, 2024 at 6:15 AM / nvd
CVSS Estimate

Feedly estimated the CVSS score as LOW

Oct 17, 2024 at 6:33 AM
EPSS

EPSS Score was set to: 0.05% (Percentile: 21.4%)

Oct 18, 2024 at 10:20 AM
Static CVE Timeline Graph

Affected Systems

Wordpress/wordpress
+null more

Attack Patterns

CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)
+null more

News

CVE-2024-9351
Medium Severity Description The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.35.1. This is due to missing or incorrect nonce validation on the quiz 'create_module' function. This makes it possible for unauthenticated attackers to create draft quizzes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Read more at https://www.tenable.com/cve/CVE-2024-9351
Medium - CVE-2024-9351 - The Forminator Forms – Contact Form, Payment...
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.35.1. This is due to...
CVE-2024-9351
This makes it possible for unauthenticated attackers to create draft quizzes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Gravedad 3.1 (CVSS 3.1 Base Score)
The Forminator Forms Plugin Vulnerable to Cross-Site Request Forgery
WPmudev - MEDIUM - CVE-2024-9351 The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.35.1. This is due to missing or incorrect nonce validation on the quiz 'create_module' function. This makes it possible for unauthenticated attackers to create draft quizzes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2024-9351 - Forminator Forms - WordPress CSRF Vulnerability
CVE ID : CVE-2024-9351 Published : Oct. 17, 2024, 6:15 a.m. 18 minutes ago Description : The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.35.1. This is due to missing or incorrect nonce validation on the quiz 'create_module' function. This makes it possible for unauthenticated attackers to create draft quizzes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Severity:
See 5 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:None
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI