CVE-2024-0767

CVSS 3.1 Score 4.3 of 10 (medium)

Details

Published Feb 28, 2024

Updated: Jan 8, 2025

CWE ID 352

Summary

CVE-2024-0767 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress. Versions up to and including 1.4.4 are impacted by this issue. The vulnerability arises due to insufficient nonce validation on the ajax_plugin_activation function. An attacker can exploit this weakness by crafting a malicious request and tricking a site administrator into executing it, allowing the attacker to activate arbitrary plugins without authentication. This poses a significant risk to WordPress sites using the affected plugin.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

https://app.recordedfuture.com/live/sc/entity/uNgPG8
https://www.cve.org/CVERecord?id=CVE-2024-0767
https://nvd.nist.gov/vuln/detail/CVE-2024-0767

Back to Vulnerability Database

CVE-2024-0767

CVSS 3.1 Score 4.3 of 10 (medium)

Details

Summary

Advisories, Assessments, and Mitigations