CVE-2024-0379

4.3MEDIUM

Key Information

Vendor: Smashballoon
Status: Custom Twitter Feeds – A Tweets Widget Or X Feed Widget
Vendor: CVE Published:; 29 February 2024

Badges

👾 Exploit Exists🔴 Public PoC

Summary

The Custom Twitter Feeds – A Tweets Widget or X Feed Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.1. This is due to missing or incorrect nonce validation on the ctf_auto_save_tokens function. This makes it possible for unauthenticated attackers to update the site's twitter API token and secret via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affected Version(s)

Custom Twitter Feeds – A Tweets Widget or X Feed Widget <= 2.2.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-0379
Created by kodaichodai

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

👾
Exploit exists.
Sep 11, 2024
Vulnerability published.
Feb 29, 2024
Disclosed
Feb 6, 2024
Vulnerability Reserved.
Jan 9, 2024

Collectors

NVD DatabaseMitre Database1 Proof of Concept(s)

Credit

Justin Gardner

Kodai Kubono