CVE-2024-9588

The Category and Taxonomy Meta Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the 'wpaft_option_page' function. This makes it possible for unauthenticated attackers to add and delete taxonomy meta, granted they can trick a site administrator into performing an action such as clicking on a link.
Configurations

Configuration 1 (hide)

cpe:2.3:a:aftabhusain:category_and_taxonomy_meta_fields:*:*:*:*:*:wordpress:*:*

History

25 Oct 2024, 21:15

Type Values Removed Values Added
References () https://plugins.trac.wordpress.org/browser/wp-custom-taxonomy-meta/trunk/includes/options.php?rev=1196908#L103 - () https://plugins.trac.wordpress.org/browser/wp-custom-taxonomy-meta/trunk/includes/options.php?rev=1196908#L103 - Product
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/2dc9c744-6ffb-4d7a-94ce-ba576d7b6d47?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/2dc9c744-6ffb-4d7a-94ce-ba576d7b6d47?source=cve - Third Party Advisory
CPE cpe:2.3:a:aftabhusain:category_and_taxonomy_meta_fields:*:*:*:*:*:wordpress:*:*
First Time Aftabhusain category And Taxonomy Meta Fields
Aftabhusain

23 Oct 2024, 15:12

Type Values Removed Values Added
Summary
  • (es) El complemento Category and Taxonomy Meta Fields para WordPress es vulnerable a Cross-Site Request Forgery en versiones hasta la 1.0.0 incluida. Esto se debe a la falta o la validación incorrecta de nonce en la función 'wpaft_option_page'. Esto permite que atacantes no autenticados agreguen y eliminen metadatos de taxonomía, siempre que puedan engañar a un administrador del sitio para que realice una acción como hacer clic en un enlace.

22 Oct 2024, 08:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-22 08:15

Updated : 2024-10-25 21:15


NVD link : CVE-2024-9588

Mitre link : CVE-2024-9588

CVE.ORG link : CVE-2024-9588


JSON object : View

Products Affected

aftabhusain

  • category_and_taxonomy_meta_fields
CWE
CWE-352

Cross-Site Request Forgery (CSRF)