The WOLF – WordPress Posts Bulk Editor and Manager Professional plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8.1. This is due to missing or incorrect nonce validation on the wpbe_create_new_term, wpbe_update_tax_term, and wpbe_delete_tax_term functions. This makes it possible for unauthenticated attackers to create, modify and delete taxonomy terms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Furthermore, the functions wpbe_save_options, wpbe_bulk_delete_posts_count, wpbe_bulk_delete_posts, and wpbe_save_meta are vulnerable to Cross-Site Request Forgery allowing for plugin options update, post count deletion, post deletion and modification of post metadata via forged request.
References
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 08:47
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
References | () https://plugins.trac.wordpress.org/browser/bulk-editor/trunk/index.php - Product | |
References | () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3028699%40bulk-editor%2Ftrunk&old=3012874%40bulk-editor%2Ftrunk&sfp_email=&sfph_mail= - Patch | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/6c48f94b-d193-429a-9383-628ae12bfdf3?source=cve - Third Party Advisory |
13 Feb 2024, 19:42
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:pluginus:wolf_-_wordpress_posts_bulk_editor_and_products_manager_professional:*:*:*:*:*:wordpress:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.3 |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/6c48f94b-d193-429a-9383-628ae12bfdf3?source=cve - Third Party Advisory | |
References | () https://plugins.trac.wordpress.org/browser/bulk-editor/trunk/index.php - Product | |
References | () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3028699%40bulk-editor%2Ftrunk&old=3012874%40bulk-editor%2Ftrunk&sfp_email=&sfph_mail= - Patch | |
First Time |
Pluginus wolf - Wordpress Posts Bulk Editor And Products Manager Professional
Pluginus |
|
CWE | CWE-352 |
05 Feb 2024, 22:16
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-02-05 22:16
Updated : 2024-11-21 08:47
NVD link : CVE-2024-0790
Mitre link : CVE-2024-0790
CVE.ORG link : CVE-2024-0790
JSON object : View
Products Affected
pluginus
- wolf_-_wordpress_posts_bulk_editor_and_products_manager_professional
CWE
CWE-352
Cross-Site Request Forgery (CSRF)