CVE-2024-9434
Cross-Site Request Forgery (CSRF) (CWE-352)
Published: Oct 31, 2024 / Updated: 19d ago
010
CVSS 6.1EPSS 0.05%Medium
CVE info copied to clipboard
The WPGlobus Translate Options plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing or incorrect nonce validation on the on__translate_options_page() function. This makes it possible for unauthenticated attackers to inject malicious web scripts and update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Timeline
First Article
Feedly found the first article mentioning CVE-2024-9434. See article
Oct 31, 2024 at 6:59 AM / Vulners.com RSS Feed
CVSS Estimate
Feedly estimated the CVSS score as MEDIUM
Oct 31, 2024 at 6:59 AM
CVE Assignment
NVD published the first details for CVE-2024-9434
Oct 31, 2024 at 7:15 AM
CVSS
A CVSS base score of 6.1 has been assigned.
Oct 31, 2024 at 7:20 AM / nvd
EPSS
EPSS Score was set to: 0.05% (Percentile: 18%)
Nov 1, 2024 at 9:55 AM
Affected Systems
Wpglobus/translateoption
+null more
Attack Patterns
CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)
+null more
News
US-CERT Vulnerability Summary for the Week of October 28, 2024
abdullahirfan — documentpress Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Abdullah Irfan DocumentPress allows Reflected XSS.This issue affects DocumentPress: from n/a through 2.1. 2024-10-29 6.1 CVE-2024-49656 [email protected] abdullahirfan — whitelist Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Abdullah Irfan Whitelist allows Reflected XSS.This issue affects Whitelist: from n/a through 3.5. 2024-10-29 6.1 CVE-2024-49643 [email protected] AffiliateX–AffiliateX Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in AffiliateX allows Stored XSS.This issue affects AffiliateX: from n/a through 1.2.9. 2024-10-29 6.5 CVE-2024-49692 [email protected] Ahmed Kaludi, Mohammed Kaludi–AMP for WP Missing Authorization vulnerability in Ahmed Kaludi, Mohammed Kaludi AMP for WP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AMP for WP: from n/a through 1.0.96.1. 2024-11-01 6.3 CVE-2024-43146 [email protected] Alex Volkov–WP Accessibility Helper (WAH) Missing Authorization vulnerability in Alex Volkov WP Accessibility Helper (WAH) allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP Accessibility Helper (WAH): from n/a through 0.6.2.9.
CVE Alert: CVE-2024-9434 - https://www. redpacketsecurity.com/cve_aler t_cve-2024-9434/ # OSINT # ThreatIntel # CyberSecurity # cve_2024_9434
CVE Alert: CVE-2024-9434
This makes it possible for unauthenticated attackers to inject malicious web scripts and update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The WPGlobus Translate Options plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0.
null
- MEDIUM - CVE-2024-9434 The WPGlobus Translate Options plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing or incorrect nonce validation on the on__translate_options_page() function. This makes it possible for unauthenticated attackers to inject malicious web scripts and update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Medium - CVE-2024-9434 - The WPGlobus Translate Options plugin for...
The WPGlobus Translate Options plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing or incorrect nonce validation on...
See 7 more articles and social media posts