JVN#86206017
WordPress Plugin "easy-popup-show" vulnerable to cross-site request forgery
Overview
WordPress Plugin "easy-popup-show" contains a cross-site request forgery vulnerability.
Products Affected
- easy-popup-show all versions
Description
WordPress Plugin "easy-popup-show" provided by Ari Susanto contains a cross-site request forgery vulnerability (CWE-352).
Impact
If a user with an administrative privilege views a malicious page while logged in, unintended operations may be performed.
Solution
Stop using the plugin
The developer states that the plugin is no longer supported, therefore stop using the plugin.
Vendor Status
| Vendor | Link |
| Ari Susanto | easy-popup-show |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Daiki Kojima of Cryptography Laboratory, Department of Information and Communication Engineering, Tokyo Denki University reported this vulnerability to the developer and coordinated. After the coordination was completed, Daiki Kojima reported the case to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2024-29009 |
| JVN iPedia |
JVNDB-2024-000033 |