Cross-Site Request Forgery Vulnerability in Scratch & Win Plugin for WordPress
CVE-2024-12545

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Scratch & Win – Giveaways And Contests. Boost Subscribers, Traffic, Repeat Visits, Referrals, Sales And More
Vendor: CVE Published:; 4 January 2025

What is CVE-2024-12545?

The Scratch & Win – Giveaways and Contests Plugin for WordPress contains a Cross-Site Request Forgery vulnerability found in all versions up to and including 2.7.1. The flaw stems from the exclusion of nonce validation in the reset_installation() function, allowing unauthenticated attackers to potentially reset the plugin's installation. This could occur if an attacker successfully deceives an administrator into executing an action, like clicking on a malicious link, thereby exploiting the vulnerability.

Affected Version(s)

Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more * <= 2.7.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/scratch-win-gi...

https://wordpress.org/plugins/scratch-win-giveaways-for-w...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 4, 2025
Vulnerability Reserved
Dec 11, 2024

Credit

Peter Thaleikis

Wordpress

What is CVE-2024-12545?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit