The WIP Incoming Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on the save_option() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Metrics
Affected Vendors & Products
No data.
No data.
No data.
References
History
Thu, 21 Nov 2024 02:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The WIP Incoming Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on the save_option() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |
| Title | WIP Incoming Lite <= 1.1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting | |
| Weaknesses | CWE-352 | |
| References |
| |
| Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2024-11-21T02:06:46.844Z
Updated: 2024-11-21T02:06:46.844Z
Reserved: 2024-11-19T14:21:02.217Z
Link: CVE-2024-11416
Vulnrichment
No data.
NVD
No data.
Redhat
No data.