CVE-2021-24735

CWE-352 — Cross-Site Request Forgery (CSRF)3 documents3 sources

Severity

6.5MEDIUM

EPSS

0.1%

top 65.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Compact WP Audio Player Tipsandtricks-hq Compact WP Audio Player

Timeline

PublishedOct 18

Latest updateMay 24

Description

The Compact WP Audio Player WordPress plugin before 1.9.7 does not implement nonce checks, which could allow attackers to make a logged in admin change the "Disable Simultaneous Play" setting via a CSRF attack.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5unknown/compact_wp_audio_player1.9.7 — 1.9.7

▶NVDtipsandtricks-hq/compact_wp_audio_player< 1.9.7

🔴Vulnerability Details

GHSA

GHSA-c8jp-pc3c-h742: The Compact WP Audio Player WordPress plugin before 1↗2022-05-24

▶

CVEList

Compact WP Audio Player < 1.9.7 - Setting Change via CSRF↗2021-10-18

▶