UnAuthenticated Attacker Can Delete Arbitrary Posts via Cross-Site Request Forgery
CVE-2024-8476
4.3MEDIUM
What is CVE-2024-8476?
The Easy PayPal Events plugin for WordPress is susceptible to a Cross-Site Request Forgery vulnerability, present in all versions up to and including 1.2.1. This vulnerability arises from inadequate nonce validation in the wpeevent_plugin_buttons() function. As a result, unauthenticated attackers can exploit this flaw by tricking a site administrator into executing malicious actions, such as clicking on an infected link. If successful, this could allow attackers to delete arbitrary posts on the affected WordPress sites.