Cross-Site Request Forgery Vulnerability in Nested Pages Plugin
CVE-2024-5943

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Nested Pages
Vendor: CVE Published:; 4 July 2024

Summary

The Nested Pages plugin for WordPress is exposed to a Cross-Site Request Forgery (CSRF) vulnerability due to inadequate nonce validation in the 'settingsPage' function and insufficient sanitization of the 'tab' parameter. This flaw permits unauthorized users to craft requests that can exploit the actions of authenticated users, particularly site administrators. By deceiving an admin into clicking a malicious link, an attacker could leverage this issue to perform unintended actions, undermining the security and integrity of affected WordPress installations.

Affected Version(s)

Nested Pages * <= 3.2.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-nested-page...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jul 4, 2024
Vulnerability Reserved
Jun 12, 2024

Credit

Bassem Essam