CVE-2024-5943 — Cross-Site Request Forgery in Nested Pages

CWE-352 — Cross-Site Request Forgery3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.4%

top 40.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Kylephillips Nested Pages

Timeline

PublishedJul 4

Description

The Nested Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.7. This is due to missing or incorrect nonce validation on the 'settingsPage' function and missing santization of the 'tab' parameter. This makes it possible for unauthenticated attackers to call local php files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDkylephillips/nested_pages< 3.2.8

▶CVEListV5kylephillips/nested_pages3.2.7

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-4gq9-jp3j-mwwg: The Nested Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3↗2024-07-04

▶

CVEList

Nested Pages <= 3.2.7 - Cross-Site Request Forgery to Local File Inclusion↗2024-07-04

▶