CVE-2024-8490

Name of the Vulnerable Software and Affected Versions: PropertyHive plugin for WordPress versions up to, and including, 2.0.19

Description: The issue is due to missing or incorrect nonce validation on the save account details function, making it possible for unauthenticated attackers to edit the name, email address, and password of an administrator account via a forged request. This can be achieved if an attacker can trick a site administrator into performing an action such as clicking on a link.

Recommendations: For PropertyHive plugin for WordPress versions up to, and including, 2.0.19, consider disabling the save account details function until a patch is available to prevent exploitation. Restrict access to administrator accounts and monitor for any suspicious activity. Update to a version that includes the fix for this issue once it becomes available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.