CVE-2024-13852

CVSS 3.1 Score 8.8 of 10 (high)

Details

Published Feb 18, 2025

Updated: Feb 21, 2025

CWE ID 352

Summary

CVE-2024-13852 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Option Editor plugin for WordPress in version 1.0. This issue stems from a lack of nonce validation on the plugin's plugin_page() function, allowing unauthenticated attackers to submit forged requests. By manipulating a site administrator into performing a specific action, such as clicking on a malicious link, the attacker can successfully update arbitrary options on the WordPress site, including the default role for registration and user registration settings. This can potentially grant attackers administrative user access to the vulnerable site.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Advisories, Assessments, and Mitigations

Back to Vulnerability Database