CVE-2024-9689 - OpenCVE

The Post From Frontend WordPress plugin through 1.0.0 does not have CSRF check when deleting posts, which could allow attackers to make logged in admin perform such action via a CSRF attack

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Shaon	Post From Frontend

No data.

No data.

References

Link	Providers
https://wpscan.com/vulnerability/ea501d37-1ec2-43ec-873a-ec204e965f60/

History

Tue, 05 Nov 2024 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Shaon Shaon post From Frontend
CPEs		cpe:2.3:a:shaon:post_from_frontend::::::::
Vendors & Products		Shaon Shaon post From Frontend
Metrics		cvssV3_1 `{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 05 Nov 2024 06:15:00 +0000

Type	Values Removed	Values Added
Description		The Post From Frontend WordPress plugin through 1.0.0 does not have CSRF check when deleting posts, which could allow attackers to make logged in admin perform such action via a CSRF attack
Title		Post From Frontend <= 1.0.0 - Post Deletion via CSRF
References		https://wpscan.com/vulnerability/ea501d37-1ec2-43ec-873a-ec204e965f60/

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2024-11-05T06:00:08.314Z

Updated: 2024-11-05T15:42:24.254Z

Reserved: 2024-10-09T13:33:36.680Z

Link: CVE-2024-9689

Vulnrichment

Updated: 2024-11-05T15:40:25.747Z

NVD

Status : Awaiting Analysis

Published: 2024-11-05T06:15:06.360

Modified: 2024-11-05T16:36:00.010

Link: CVE-2024-9689

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-9689", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2024-10-09T13:33:36.680Z", "datePublished": "2024-11-05T06:00:08.314Z", "dateUpdated": "2024-11-05T15:42:24.254Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2024-11-05T06:00:08.314Z"}, "title": "Post From Frontend <= 1.0.0 - Post Deletion via CSRF", "problemTypes": [{"descriptions": [{"description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "Post From Frontend", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThanOrEqual": "1.0.0"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "The Post From Frontend WordPress plugin through 1.0.0 does not have CSRF check when deleting posts, which could allow attackers to make logged in admin perform such action via a CSRF attack"}], "references": [{"url": "https://wpscan.com/vulnerability/ea501d37-1ec2-43ec-873a-ec204e965f60/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Bob Matyas", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"affected": [{"vendor": "shaon", "product": "post_from_frontend", "cpes": ["cpe:2.3:a:shaon:post_from_frontend:*:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.0", "versionType": "semver"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-11-05T15:37:16.816200Z", "id": "CVE-2024-9689", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-05T15:42:24.254Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-9689", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-05T15:37:16.816200Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:shaon:post_from_frontend:*:*:*:*:*:*:*:*"], "vendor": "shaon", "product": "post_from_frontend", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.0"}], "defaultStatus": "affected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-05T15:40:25.747Z"}}], "cna": {"title": "Post From Frontend <= 1.0.0 - Post Deletion via CSRF", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Bob Matyas"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "Post From Frontend", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.0"}], "defaultStatus": "affected"}], "references": [{"url": "https://wpscan.com/vulnerability/ea501d37-1ec2-43ec-873a-ec204e965f60/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The Post From Frontend WordPress plugin through 1.0.0 does not have CSRF check when deleting posts, which could allow attackers to make logged in admin perform such action via a CSRF attack"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2024-11-05T06:00:08.314Z"}}}, "cveMetadata": {"cveId": "CVE-2024-9689", "state": "PUBLISHED", "dateUpdated": "2024-11-05T15:42:24.254Z", "dateReserved": "2024-10-09T13:33:36.680Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2024-11-05T06:00:08.314Z", "assignerShortName": "WPScan"}, "dataVersion": "5.1"}