UnAuthenticated Attacker Can Delete Arbitrary Posts via Cross-Site Request Forgery
CVE-2024-8476

4.3MEDIUM

Key Information:

Vendor
Easy PayPal Events
Status
Easy Paypal Events
Vendor
CVE Published:
25 September 2024

Summary

The Easy PayPal Events plugin for WordPress is susceptible to a Cross-Site Request Forgery vulnerability, present in all versions up to and including 1.2.1. This vulnerability arises from inadequate nonce validation in the wpeevent_plugin_buttons() function. As a result, unauthenticated attackers can exploit this flaw by tricking a site administrator into executing malicious actions, such as clicking on an infected link. If successful, this could allow attackers to delete arbitrary posts on the affected WordPress sites.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/easy-paypal-ev...
https://plugins.trac.wordpress.org/browser/easy-paypal-ev...

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

Collectors

NVD Database
.