Cross-Site Request Forgery Vulnerability in Automate Hub Free by Sperse.IO
CVE-2024-13683

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Automate Hub Free By Sperse.io
Vendor: CVE Published:; 24 January 2025

Summary

The Automate Hub Free plugin by Sperse.IO for WordPress is susceptible to an exposure that allows Cross-Site Request Forgery (CSRF) attacks. Specifically, this vulnerability arises from inadequate nonce validation on the 'automate_hub' settings page. As a result, unauthenticated attackers could exploit this flaw to manipulate the activation status of the plugin by deceiving a site administrator into executing a malicious request, such as clicking on a compromised link. This behavior compromises the integrity of the plugin and could lead to unauthorized changes within the site.

Affected Version(s)

Automate Hub Free by Sperse.IO * <= 1.7.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/automate-hub-free-by-sperse...

https://plugins.trac.wordpress.org/browser/automate-hub-f...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 24, 2025
Vulnerability Reserved
Jan 23, 2025

Credit

Dhabaleshwar Das