CVE-2024-1489

EPSS 0.11%
Veröffentlicht 13.03.2024 16:15:23
Zuletzt bearbeitet 03.04.2025 13:13:02
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

SMS Alert Order Notifications – WooCommerce <= 3.6.9 - Cross-Site Request Forgery

The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.9. This is due to missing or incorrect nonce validation on the processBulkAction function. This makes it possible for unauthenticated attackers to delete pages and posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Mögliche Gegenmaßnahme

SMS Alert Order Notifications – WooCommerce: Update to version 3.7.0, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt SMS Alert Order Notifications – WooCommerce

Version *-3.6.9

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cozyvision ≫ Sms Alert Order Notifications SwPlatformwordpress Version < 3.7.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.11%	0.305

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3039989%40sms-alert%2Ftrunk&old=3032487%40sms-alert%2Ftrunk&sfp_email=&sfph_mail=#file19

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/e7a28382-facb-43a7-892a-8ca9e7f0f62b?source=cve

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/e7a28382-facb-43a7-892a-8ca9e7f0f62b

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-1489

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-1489

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-1489

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-1489