CVE-2024-11640

CVE-2024-11640 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting the VikRentCar Car Rental Management System plugin for WordPress in all versions up to and including 1.4.2. The issue stems from missing or incorrect nonce validation in the plugin's 'save' function. Published on 2025-03-08, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and potential for significant confidentiality, integrity, and availability impacts.

Unauthenticated attackers can exploit this vulnerability by tricking a site administrator into performing an action, such as clicking a malicious link, which submits a forged request to alter plugin access privileges. Successful exploitation enables attackers with subscriber-level privileges or higher to upload arbitrary files to the affected site's server, potentially leading to remote code execution.

Mitigation details are available in advisories from Wordfence and the WordPress plugin repository. The patch is implemented in changeset 3225040, accessible at https://plugins.trac.wordpress.org/changeset/3225040/vikrentcar, and further intelligence is provided at https://www.wordfence.com/threat-intel/vulnerabilities/id/4a4c085a-1601-4c1a-ac17-0f2cf5d02489?source=cve. Security practitioners should prioritize updating the plugin beyond version 1.4.2 and educate administrators on verifying requests.