Cross-Site Request Forgery Vulnerability in Comments Extra Fields for WordPress
CVE-2024-0830

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Comments Extra Fields For Post,pages And Cpt
Vendor: CVE Published:; 13 March 2024

Summary

The Comments Extra Fields For Post, Pages and CPT plugin for WordPress is affected by a Cross-Site Request Forgery vulnerability due to inadequate nonce validation across multiple AJAX actions. This issue allows unauthenticated attackers to send crafted requests to the WordPress site, potentially tricking site administrators into executing harmful actions, such as altering comment form fields and manipulating plugin settings. Implementing proper nonce validation is essential to mitigate this risk and ensure the security of the affected plugin.

Affected Version(s)

Comments Extra Fields For Post,Pages and CPT * <= 5.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-comment-fie...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Mar 13, 2024
Vulnerability Reserved
Jan 23, 2024

Credit

Francesco Carlucci