CVE-2024-1504

Name of the Vulnerable Software and Affected Versions SecuPress Free — WordPress Security plugin versions up to, and including, 2.2.5.1

Description The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the secupress blackhole ban ip() function. This allows unauthenticated attackers to block a user's IP via a forged request if they can trick the user into performing an action such as clicking on a link.

Recommendations For versions up to, and including, 2.2.5.1, update the SecuPress Free — WordPress Security plugin as soon as possible to fix the issue. As a temporary workaround, consider monitoring IP ban-list changes closely to detect any unauthorized blocks. Additionally, restrict access to the secupress blackhole ban ip() function until a patch is available.