Back

CVE-2024-6405

June 29, 2024, 2:15 a.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

Floating Social Buttons plugin for WordPress

  • up to 1.5

Source

security@wordfence.com

Tags

security@wordfence.com
2024-06-29
CVE-2024-6405

CVE-2024-6405 details

Published : June 29, 2024, 2:15 a.m.
Last Modified : June 29, 2024, 2:15 a.m.

Description

The Floating Social Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the floating_social_buttons_option() function. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Score

1 2 3 4 5 6.1 7 8 9 10

Weakness

Weakness Name Description

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

Base Score

6.1

Exploitability Score

2.8

Impact Score

2.7

Base Severity

MEDIUM

Vector String : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

URL Source
https://plugins.trac.wordpress.org/browser/floating-social-buttons/trunk/floating-social-buttons.php#L230 security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/befe5e99-204e-470e-bbbb-285b5ba0b1fb?source=cve security@wordfence.com
This website uses the NVD API, but is not approved or certified by it.