A high severity Cross Site Request Forgery (CSRF) vulnerability has been identified in the Nested Pages WordPress plugin, potentially affecting over 100,000 installations. Both the U.S. National Vulnerability Database (NVD) and Wordfence have published advisories regarding this issue, which has received a Common Vulnerability Scoring System (CVSS) rating of 8.8 out of 10.
Cross Site Request Forgery (CSRF) This type of attack exploits a flaw in the Nested Pages plugin, allowing unauthenticated attackers to execute PHP files, which are critical components of WordPress. The vulnerability arises from missing or incorrect nonce validation, a security measure that protects forms and URLs in WordPress plugins. Additionally, the plugin lacks proper sanitization, a method of securing input and output data.
According to Wordfence: “This is due to missing or incorrect nonce validation on the ‘settingsPage’ function and missing sanitization of the ‘tab’ parameter.”
The CSRF attack relies on tricking a logged-in WordPress user, such as an Administrator, into clicking a malicious link, thereby enabling the attacker to execute the exploit. With a CVSS score of 8.8, this vulnerability is classified as a high severity threat, just below the critical threshold of 8.9.
WordPress Nested Pages Plugin High Severity Vulnerability via @sejournal, @martinibuster
High severity CSRF vulnerability in the Nested Pages WordPress Plugin affects up to +100,000 installations The post WordPress Nested Pages Plugin High Severity Vulnhttps://t.co/DmiLhO85Iu
— Ivica Delic (@Free_LanceTools) July 8, 2024
Affected Versions and Fix This vulnerability affects all versions of the Nested Pages plugin up to and including version 3.2.7. The plugin developers have addressed this issue with a security fix in version 3.2.8, as documented in their official changelog:
“Security update addressing CSRF issue in plugin settings”
Users are strongly urged to update to the latest version, 3.2.8, to secure their sites against this vulnerability.
Start Growing with Cloudways Today.
Our Clients Love us because we never compromise on these
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
