CVE-2024-9778

The ImagePress – Image Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing or incorrect nonce validation on the 'imagepress_admin_page' function. This makes it possible for unauthenticated attackers to update plugin settings, including redirection URLs, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Configurations

Configuration 1 (hide)

cpe:2.3:a:getbutterfly:imagepress:*:*:*:*:*:wordpress:*:*

History

25 Nov 2024, 19:20

Type Values Removed Values Added
CPE cpe:2.3:a:getbutterfly:imagepress:*:*:*:*:*:wordpress:*:*
First Time Getbutterfly
Getbutterfly imagepress
References () https://plugins.trac.wordpress.org/browser/image-gallery/trunk/includes/page-settings.php#L106 - () https://plugins.trac.wordpress.org/browser/image-gallery/trunk/includes/page-settings.php#L106 - Product
References () https://plugins.trac.wordpress.org/browser/image-gallery/trunk/includes/page-settings.php#L2 - () https://plugins.trac.wordpress.org/browser/image-gallery/trunk/includes/page-settings.php#L2 - Product
References () https://plugins.trac.wordpress.org/browser/image-gallery/trunk/includes/page-settings.php#L267 - () https://plugins.trac.wordpress.org/browser/image-gallery/trunk/includes/page-settings.php#L267 - Product
References () https://plugins.trac.wordpress.org/browser/image-gallery/trunk/includes/page-settings.php#L380 - () https://plugins.trac.wordpress.org/browser/image-gallery/trunk/includes/page-settings.php#L380 - Product
References () https://plugins.trac.wordpress.org/browser/image-gallery/trunk/includes/page-settings.php#L461 - () https://plugins.trac.wordpress.org/browser/image-gallery/trunk/includes/page-settings.php#L461 - Product
References () https://plugins.trac.wordpress.org/changeset/3167164/ - () https://plugins.trac.wordpress.org/changeset/3167164/ - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/200b3446-6107-434b-b46d-2078461f3f94?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/200b3446-6107-434b-b46d-2078461f3f94?source=cve - Third Party Advisory

15 Oct 2024, 12:57

Type Values Removed Values Added
Summary
  • (es) El complemento ImagePress – Image Gallery para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 1.2.2 incluida. Esto se debe a la falta o la validación incorrecta de nonce en la función 'imagepress_admin_page'. Esto hace posible que atacantes no autenticados actualicen la configuración del complemento, incluidas las URL de redireccionamiento, a través de una solicitud falsificada, siempre que puedan engañar al administrador del sitio para que realice una acción como hacer clic en un enlace.

12 Oct 2024, 06:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-12 06:15

Updated : 2024-11-25 19:20


NVD link : CVE-2024-9778

Mitre link : CVE-2024-9778

CVE.ORG link : CVE-2024-9778


JSON object : View

Products Affected

getbutterfly

  • imagepress
CWE
CWE-352

Cross-Site Request Forgery (CSRF)