CVE-2024-12526

CVSS 3.1 Score 4.3 of 10 (medium)

Details

Published Dec 12, 2024
CWE ID 352

Summary

CVE-2024-12526: The Arena.IM plugin for WordPress, used for live blogging real-time events, contains a Cross-Site Request Forgery (CSRF) vulnerability. This issue affects all versions up to 0.3.0 due to missing or incorrect nonce validation on the 'albfre_user_action' AJAX action. Attackers can exploit this flaw to update the plugin's settings through a forged request, requiring a site administrator to perform a triggering action, such as clicking a malicious link. This vulnerability puts WordPress sites utilizing the Arena.IM plugin at risk of unauthorized configuration changes.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share