ARTICLE AD BOX
High severity vulnerability affecting up to +100,000 installations allows unauthenticated attackers to execute CSRF exploit
The U.S. National Vulnerability Database (NVD) and Wordfence published a information advisory of a precocious severity Cross Site Request Forgery (CSRF) vulnerability affecting the Nested Pages WordPress plugin affecting up to +100,000 installations. The vulnerability received a Common Vulnerability Scoring System (CVSS) standing of 8.8 connected a standard of 1 – 10, with 10 representing the highest level severity.
Cross Site Request Forgery (CSRF)
The Cross Site Request Forgery (CSRF) is simply a benignant of onslaught that takes vantage of a information flaw successful the Nested Pages plugin that allows unauthenticated attackers to telephone (execute) PHP files, which are the codification level files of WordPress.
There is simply a missing oregon incorrect nonce validation, which is simply a communal information diagnostic utilized successful WordPress plugins to unafraid forms and URLs. A 2nd flaw successful the plugin is simply a missing information diagnostic called sanitization. Sanitization is simply a method of securing information that’s input oregon output which is besides communal to WordPress plugins but successful this lawsuit is missing.
According to Wordfence:
“This is owed to missing oregon incorrect nonce validation connected the ‘settingsPage’ relation and missing santization of the ‘tab’ parameter.”
The CSRF onslaught relies connected getting a signed successful WordPress idiosyncratic (like an Administrator) to click a nexus which successful crook allows the attacker to implicit the attack. This vulnerability is rated 8.8 which makes it a precocious severity threat. To enactment that into perspective, a people of 8.9 is simply a captious level menace which is an adjacent higher level. So astatine 8.8 it is conscionable abbreviated of a captious level threat.
This vulnerability affects each versions of the Nested Pages plugin up to and including mentation 3.2.7. The developers of the plugin released a information hole successful mentation 3.2.8 and responsibly published the details of the information update successful their changelog.
The authoritative changelog documents the information fix:
“Security update addressing CSRF contented successful plugin settings”
Read the advisory astatine Wordfence:
Nested Pages <= 3.2.7 – Cross-Site Request Forgery to Local File Inclusion
Read the advisory astatine the NVD:
Featured Image by Shutterstock/Dean Drobot
SEJ STAFF Roger Montti Owner - Martinibuster.com astatine Martinibuster.com
I person 25 years hands-on acquisition successful SEO and person kept on apical of the improvement of hunt each measurement ...
Subscribe To Our Newsletter.
Conquer your time with regular hunt selling news.
English (US)