CVE-2024-8490

The PropertyHive plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.19. This is due to missing or incorrect nonce validation on the 'save_account_details' function. This makes it possible for unauthenticated attackers to edit the name, email address, and password of an administrator account via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Configurations

Configuration 1 (hide)

cpe:2.3:a:wp-property-hive:propertyhive:*:*:*:*:*:wordpress:*:*

History

27 Sep 2024, 18:36

Type Values Removed Values Added
References () https://plugins.trac.wordpress.org/browser/propertyhive/tags/2.0.19/includes/class-ph-ajax.php#L1089 - () https://plugins.trac.wordpress.org/browser/propertyhive/tags/2.0.19/includes/class-ph-ajax.php#L1089 - Product
References () https://plugins.trac.wordpress.org/browser/propertyhive/tags/2.0.19/includes/class-ph-ajax.php#L976 - () https://plugins.trac.wordpress.org/browser/propertyhive/tags/2.0.19/includes/class-ph-ajax.php#L976 - Product
References () https://plugins.trac.wordpress.org/changeset/3152548/ - () https://plugins.trac.wordpress.org/changeset/3152548/ - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/17c06c83-6707-4233-a1c3-ef4cdcf93982?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/17c06c83-6707-4233-a1c3-ef4cdcf93982?source=cve - Third Party Advisory
CVSS v2 : unknown
v3 : 8.8
v2 : unknown
v3 : 6.5
First Time Wp-property-hive propertyhive
Wp-property-hive
CPE cpe:2.3:a:wp-property-hive:propertyhive:*:*:*:*:*:wordpress:*:*

20 Sep 2024, 12:31

Type Values Removed Values Added
Summary
  • (es) El complemento PropertyHive para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 2.0.19 incluida. Esto se debe a la falta o la validación incorrecta de nonce en la función 'save_account_details'. Esto permite que atacantes no autenticados editen el nombre, la dirección de correo electrónico y la contraseña de una cuenta de administrador a través de una solicitud falsificada, siempre que puedan engañar a un administrador del sitio para que realice una acción como hacer clic en un enlace.

17 Sep 2024, 08:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-17 08:15

Updated : 2024-09-27 18:36


NVD link : CVE-2024-8490

Mitre link : CVE-2024-8490

CVE.ORG link : CVE-2024-8490


JSON object : View

Products Affected

wp-property-hive

  • propertyhive
CWE
CWE-352

Cross-Site Request Forgery (CSRF)