CVE-2024-12526
CVSS 3.1 Score 4.3 of 10 (medium)
Details
Summary
CVE-2024-12526: The Arena.IM plugin for WordPress, used for live blogging real-time events, contains a Cross-Site Request Forgery (CSRF) vulnerability. This issue affects all versions up to 0.3.0 due to missing or incorrect nonce validation on the 'albfre_user_action' AJAX action. Attackers can exploit this flaw to update the plugin's settings through a forged request, requiring a site administrator to perform a triggering action, such as clicking a malicious link. This vulnerability puts WordPress sites utilizing the Arena.IM plugin at risk of unauthorized configuration changes.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.