Close Menu
    Trending
    SEO

    WordPress Nested Pages Plugin High Severity Vulnerability

    YGLukBy No Comments2 Mins Read


    The U.S. Nationwide Vulnerability Database (NVD) and Wordfence printed a safety advisory of a excessive severity Cross Web site Request Forgery (CSRF) vulnerability affecting the Nested Pages WordPress plugin affecting as much as +100,000 installations. The vulnerability obtained a Widespread Vulnerability Scoring System (CVSS) ranking of 8.8 on a scale of 1 – 10, with ten representing the very best degree severity.

    Cross Web site Request Forgery (CSRF)

    The Cross Web site Request Forgery (CSRF) is a kind of assault that takes benefit of a safety flaw within the Nested Pages plugin that enables unauthenticated attackers to name (execute) PHP recordsdata, that are the code degree recordsdata of WordPress.

    There’s a lacking or incorrect nonce validation, which is a standard safety function utilized in WordPress plugins to safe types and URLs. A second flaw within the plugin is a lacking safety function referred to as sanitization. Sanitization is a technique of securing knowledge that’s enter or output which can be frequent to WordPress plugins however on this case is lacking.

    Based on Wordfence:

    “This is because of lacking or incorrect nonce validation on the ‘settingsPage’ perform and lacking santization of the ‘tab’ parameter.”

    The CSRF assault depends on getting a signed in WordPress person (like an Administrator) to click on a hyperlink which in flip permits the attacker to finish the assault. This vulnerability is rated 8.8 which makes it a excessive severity menace. To place that into perspective, a rating of 8.9 is a vital degree menace which is a good larger degree. So at 8.8 it’s simply wanting a vital degree menace.

    This vulnerability impacts all variations of the Nested Pages plugin as much as and together with model 3.2.7. The builders of the plugin launched a safety repair in model 3.2.8 and responsibly printed the small print of the safety replace of their changelog.

    The official changelog paperwork the safety repair:

    “Safety replace addressing CSRF difficulty in plugin settings”

    Learn the advisory at Wordfence:

    Nested Pages <= 3.2.7 – Cross-Site Request Forgery to Local File Inclusion

    Learn the advisory on the NVD:

    CVE-2024-5943 Detail

    Featured Picture by Shutterstock/Dean Drobot



    Source link

    Share.

    Related Posts

    Add A Comment
    Leave A Reply

    6 + 9 =