WordPress Plugin Vulnerabilities

Kimili Flash Embed <= 2.5.3 - Cross-Site Request Forgery

Description

The Kimili Flash Embed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.3. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to perform an unknown action granted they can trick a site administrator into performing an action such as clicking on a link. The impact of this vulnerability is unknown.

Affects Plugins

Plugin icon
kimili-flash-embed
No known fix

References

CVE
CVE-2024-32092
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7e6f9f8c-a36b-412d-a2ae-cc90e3a840f6

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Nguyen Xuan Chien
Verified
No
WPVDB ID
b5748d05-115e-4fd4-83e7-c9d5d51057a2

Timeline

Publicly Published
2024-04-11 (about 1 months ago)
Added
2024-04-17 (about 1 months ago)
Last Updated
2024-04-17 (about 1 months ago)

Other

Published
Title
Published
2022-09-28
Title
Booking Ultra Pro < 1.1.7 - Stored Cross-Site Scripting via CSRF
Published
2021-10-18
Title
Paypal Donation < 1.3.2 - Admin+ Stored Cross-Site Scripting
Published
2023-09-05
Title
SendPress Newsletters <= 1.23.11.6 - CSRF
Published
2024-04-23
Title
Slash Admin < 3.8.2 - Cross-Site Request Forgery
Published
2024-04-12
Title
Wallet System for WooCommerce < 2.5.10 - Cross-Site Request Forgery