Cross-Site Request Forgery Vulnerability in WordPress Crypto Plugin
CVE-2024-9990

8.8HIGH

Key Information:

Vendor
Odude
Status
Crypto Tool
Vendor
CVE Published:
29 October 2024

Summary

The Crypto plugin for WordPress contains a security weakness that exposes it to Cross-Site Request Forgery (CSRF) attacks in all versions 2.15 and below. This vulnerability arises from insufficient nonce validation in the 'crypto_connect_ajax_process::check' function, enabling attackers to exploit the flaw. By tricking a site administrator into executing a crafted action, an unauthenticated attacker could potentially gain access to user accounts, including administrative privileges, through a forged request. Securing your WordPress installation and ensuring all plugins are up to date is critical to mitigate this risk.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/crypto/tags/2....
https://plugins.trac.wordpress.org/browser/crypto/tags/2....

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

.