CVE-2024-1360

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-1360
The Colibri WP theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.94. This is due to missing or incorrect nonce validation on the colibriwp_install_plugin() function. This makes it possible for unauthenticated attackers to install recommended plugins via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

4.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://themes.trac.wordpress.org/changeset/218308/colibri-wp/1.0.101/inc/src/PluginsManager.php Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/db56844f-9988-4f6a-ba1d-f190ff009f2b?source=cve Third Party Advisory
https://themes.trac.wordpress.org/changeset/218308/colibri-wp/1.0.101/inc/src/PluginsManager.php Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/db56844f-9988-4f6a-ba1d-f190ff009f2b?source=cve Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:colibriwp:colibri:*:*:*:*:*:wordpress:*:*
History

05 Feb 2025, 21:46

Type Values Removed Values Added
First Time Colibriwp
Colibriwp colibri
CWE CWE-352
CPE cpe:2.3:a:colibriwp:colibri:*:*:*:*:*:wordpress:*:*
References () https://themes.trac.wordpress.org/changeset/218308/colibri-wp/1.0.101/inc/src/PluginsManager.php - () https://themes.trac.wordpress.org/changeset/218308/colibri-wp/1.0.101/inc/src/PluginsManager.php - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/db56844f-9988-4f6a-ba1d-f190ff009f2b?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/db56844f-9988-4f6a-ba1d-f190ff009f2b?source=cve - Third Party Advisory

21 Nov 2024, 08:50

Type Values Removed Values Added
References () https://themes.trac.wordpress.org/changeset/218308/colibri-wp/1.0.101/inc/src/PluginsManager.php - () https://themes.trac.wordpress.org/changeset/218308/colibri-wp/1.0.101/inc/src/PluginsManager.php -
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/db56844f-9988-4f6a-ba1d-f190ff009f2b?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/db56844f-9988-4f6a-ba1d-f190ff009f2b?source=cve -

23 Feb 2024, 16:14

Type Values Removed Values Added
Summary
  • (es) El tema Colibri WP para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 1.0.94 incluida. Esto se debe a una validación nonce faltante o incorrecta en la función colibriwp_install_plugin(). Esto hace posible que atacantes no autenticados instalen complementos recomendados a través de una solicitud falsificada, siempre que puedan engañar al administrador del sitio para que realice una acción como hacer clic en un enlace.

23 Feb 2024, 11:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-02-23 11:15

Updated : 2025-02-05 21:46

NVD link : CVE-2024-1360

Mitre link : CVE-2024-1360

CVE.ORG link : CVE-2024-1360

JSON object : View

Products Affected

colibriwp

  • colibri
CWE
CWE-352

Cross-Site Request Forgery (CSRF)