CVE-2024-9847

Name of the Vulnerable Software and Affected Versions FlatPress CMS versions prior to 1.4.dev

Description The issue allows an attacker to perform Cross-Site Request Forgery (CSRF) attacks, enabling or disabling plugins on behalf of a victim user. The attacker can craft a malicious link or script that, when clicked by an authenticated user, sends a request to the FlatPress CMS server to perform the desired action. Since the request is authenticated, the server processes it as if it were initiated by the legitimate user, allowing the attacker to perform unauthorized actions.

Recommendations For versions prior to 1.4.dev, update to version 1.4.dev to resolve the issue. As a temporary workaround, consider restricting access to the plugin management interface to minimize the risk of exploitation. Avoid using the vulnerable plugin management functionality until the issue is resolved.