Cross-Site Request Forgery Vulnerability in The Reviews Feed Plugin
CVE-2024-8200

4.3MEDIUM

Key Information:

Vendor: Smub
Status: Reviews Feed – Add Testimonials And Customer Reviews From Google Reviews, Yelp, Tripadvisor, And More
Vendor: CVE Published:; 27 August 2024

Summary

The Reviews Feed plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF) attacks, affecting all versions up to and including 1.1.2. This vulnerability arises from improper nonce validation within the 'update_api_key' function. As a result, attackers can exploit this weakness to send forged requests that update an API key without authentication. If a site administrator is tricked into performing an action, such as clicking a malicious link, an attacker can gain unauthorized control over API configurations, potentially leading to further security breaches.

Affected Version(s)

Reviews Feed – Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More * <= 1.1.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/reviews-feed/t...

https://plugins.trac.wordpress.org/changeset/3125315/

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Aug 27, 2024
Vulnerability Reserved
Aug 27, 2024

Credit

Sajjad Ahmad