Cross-Site Request Forgery in WP Social AutoConnect Plugin for WordPress
CVE-2024-12279

6.1MEDIUM

Key Information:

Vendor
Wordpress
Status
WP Social Autoconnect
Vendor
CVE Published:
4 January 2025

Summary

The WP Social AutoConnect plugin for WordPress exhibits a vulnerability that allows Cross-Site Request Forgery (CSRF) attacks. This issue arises from inadequate nonce validation in one of its functions. As a result, unauthenticated attackers may exploit this flaw by crafting malicious requests that deceive site administrators into executing unintended actions, such as clicking on links. This can potentially lead to the injection of harmful scripts onto the site, compromising its integrity.

Affected Version(s)

WP Social AutoConnect * <= 4.6.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://wordpress.org/plugins/wp-fb-autoconnect/#developers
https://plugins.trac.wordpress.org/changeset/3211577/

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dale Mavers
.