CVE-2024-12386
Published: 12 February 2025
Description
The WP Abstracts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.3. This is due to missing nonce validation on multiple functions. This makes it possible for unauthenticated attackers to delete arbitrary accounts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Security Summary
CVE-2024-12386 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting the WP Abstracts plugin for WordPress in all versions up to and including 2.7.3. The issue arises from missing nonce validation on multiple functions within the plugin, earning a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H). Published on 2025-02-12, it enables unauthorized actions when nonce checks are bypassed.
Unauthenticated attackers can exploit this vulnerability by crafting a forged request and tricking a site administrator into executing it, such as by clicking a malicious link. Successful exploitation allows the deletion of arbitrary accounts, resulting in high integrity and availability impacts without requiring prior privileges, though it depends on user interaction.
Mitigation details are provided in advisories from the WordPress plugins trac (changeset 3238664), the plugin's developer page on WordPress.org, and Wordfence threat intelligence. Security practitioners should review these sources and update the WP Abstracts plugin to a version beyond 2.7.3 to address the missing nonce validation.
Details
- CWE(s)