CVE-2024-9990

Cross-Site Request Forgery (CSRF) (CWE-352)

Published: Oct 29, 2024 / Updated: 21d ago

010
CVSS 8.8EPSS 0.06%High
CVE info copied to clipboard

Summary

The Crypto plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.15. This vulnerability is caused by missing nonce validation in the 'crypto_connect_ajax_process::check' function. It allows unauthenticated attackers to log in as any existing user on the site, including administrators, via a forged request if they can trick a site administrator into performing an action such as clicking on a link.

Impact

This vulnerability has a high severity with a CVSS v3.1 base score of 8.8. The potential impacts are: 1. Unauthorized Access: Attackers can gain unauthorized access to user accounts, including administrator accounts, compromising the confidentiality of sensitive information. 2. Privilege Escalation: By logging in as an administrator, attackers can perform any action available to administrators, potentially leading to full site compromise. 3. Data Integrity: With admin access, attackers could modify or delete critical site data, affecting the integrity of the WordPress installation. 4. Reputation Damage: If exploited, this could lead to significant reputation damage for the affected website. The attack requires user interaction, typically in the form of tricking an administrator into clicking a malicious link, which slightly reduces the likelihood of successful exploitation but does not significantly mitigate the potential impact.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability affects versions of the Crypto plugin for WordPress up to and including version 2.15. Website administrators should update the Crypto plugin to a version newer than 2.15 as soon as possible to address this vulnerability.

Mitigation

1. Update the Crypto plugin for WordPress to the latest version (after 2.15) immediately. 2. Implement strong Content Security Policies (CSP) to help prevent the execution of malicious scripts. 3. Educate administrators and users about the risks of clicking on unknown links, especially when logged into the WordPress admin panel. 4. Consider implementing additional authentication factors for admin accounts to provide an extra layer of security. 5. Regularly audit user accounts and access levels to ensure principle of least privilege. 6. Monitor for suspicious login activities or unexpected admin actions that could indicate compromise. 7. If unable to update immediately, consider temporarily disabling the Crypto plugin until it can be updated safely.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9990. See article

Oct 29, 2024 at 4:47 PM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 29, 2024 at 4:48 PM
CVE Assignment

NVD published the first details for CVE-2024-9990

Oct 29, 2024 at 5:15 PM
CVSS

A CVSS base score of 8.8 has been assigned.

Oct 29, 2024 at 5:21 PM / nvd
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 29, 2024 at 5:38 PM
EPSS

EPSS Score was set to: 0.06% (Percentile: 24%)

Oct 30, 2024 at 10:18 AM
Static CVE Timeline Graph

Affected Systems

Odude/crypto_tool
+null more

Attack Patterns

CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)
+null more

News

Wordfence Intelligence Weekly WordPress Vulnerability Report (October 28, 2024 to November 3, 2024)
WordPress Plugins with Reported Vulnerabilities Last Week All in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers
CVE Alert: CVE-2024-9990
Everyone that supports the site helps enable new functionality. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
null
- HIGH - CVE-2024-9990 The Crypto plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.15. This is due to missing nonce validation in the 'crypto_connect_ajax_process::check' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Security Bulletin 30 Oct 2024 - Cyber Security Agency of Singapore
A vulnerability in the SSH subsystem of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to execute ...
CVE-2024-9990
The Crypto plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.15. Gravedad 3.1 (CVSS 3.1 Base Score)
See 9 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI