CVE-2024-0790

Name of the Vulnerable Software and Affected Versions The WOLF – WordPress Posts Bulk Editor and Manager Professional plugin versions up to, and including, 1.0.8.1

Description The issue is related to missing or incorrect nonce validation on several functions, including wpbe create new term, wpbe update tax term, and wpbe delete tax term. This allows unauthenticated attackers to create, modify, and delete taxonomy terms via a forged request if they can trick a site administrator into performing a certain action. Additionally, the functions wpbe save options, wpbe bulk delete posts count, wpbe bulk delete posts, and wpbe save meta are vulnerable, enabling attackers to update plugin options, delete post counts, delete posts, and modify post metadata via forged requests.

Recommendations For versions up to, and including, 1.0.8.1, update to a version that includes the necessary nonce validation to prevent Cross-Site Request Forgery attacks. As a temporary workaround, consider restricting access to the vulnerable functions wpbe create new term, wpbe update tax term, wpbe delete tax term, wpbe save options, wpbe bulk delete posts count, wpbe bulk delete posts, and wpbe save meta until a patch is available.