Cross-Site Request Forgery Vulnerability in Wtyczka SeoPilot for WordPress
CVE-2024-11812

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Wtyczka Seopilot Dla WP
Vendor: CVE Published:; 20 December 2024

Summary

The SeoPilot dla WP plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) attacks across all versions up to and including 3.3.091. The vulnerability arises from the lack of proper nonce validation in the SeoPilot_Admin_Options() function. As a result, an attacker can exploit this weakness to issue unauthorized requests that can lead to the modification of settings or the injection of malicious scripts, particularly if they can trick a site administrator into initiating an action. This presents a significant risk for sites using the affected plugin, highlighting the importance of keeping plugin versions updated and implementing secure coding practices to safeguard against CSRF attacks.

Affected Version(s)

Wtyczka SeoPilot dla WP * <= 3.3.091

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wtyczka-seopil...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Dec 20, 2024
Vulnerability Reserved
Nov 26, 2024

Credit

SOPROBRO