WordPress Nested Pages Plugin High Severity Vulnerability – Search Engine Journal

Get your copy and clear away the noise of a crowded search marketing world. Stand out and boost your visibility for your ideal audience.
With Steven van Vessum and Alexandra Dristas, we’ll also dive into best practices for Core Web Vitals and accessibility that will create an enhanced user experience for your audience.
Join us as we delve into the intricate relationship between organic and paid search channels, offering actionable insights for measuring success to maximize their combined potential.
This event is presented by Wix Studio and Search Engine Journal, featuring a lineup of some of the world’s most prominent digital marketers.
Want to know what makes a Facebook ad effective and how to set up your campaigns for success?
Join data and SEO expert Janet Driscoll Miller to learn how generative AI is impacting organic search.
High severity vulnerability affecting up to +100,000 installations allows unauthenticated attackers to execute CSRF exploit
The U.S. National Vulnerability Database (NVD) and Wordfence published a security advisory of a high severity Cross Site Request Forgery (CSRF) vulnerability affecting the Nested Pages WordPress plugin affecting up to +100,000 installations. The vulnerability received a Common Vulnerability Scoring System (CVSS) rating of 8.8 on a scale of 1 – 10, with ten representing the highest level severity.
The Cross Site Request Forgery (CSRF) is a type of attack that takes advantage of a security flaw in the Nested Pages plugin that allows unauthenticated attackers to call (execute) PHP files, which are the code level files of WordPress.
There is a missing or incorrect nonce validation, which is a common security feature used in WordPress plugins to secure forms and URLs. A second flaw in the plugin is a missing security feature called sanitization. Sanitization is a method of securing data that’s input or output which is also common to WordPress plugins but in this case is missing.
According to Wordfence:
“This is due to missing or incorrect nonce validation on the ‘settingsPage’ function and missing santization of the ‘tab’ parameter.”
The CSRF attack relies on getting a signed in WordPress user (like an Administrator) to click a link which in turn allows the attacker to complete the attack. This vulnerability is rated 8.8 which makes it a high severity threat. To put that into perspective, a score of 8.9 is a critical level threat which is an even higher level. So at 8.8 it is just short of a critical level threat.
This vulnerability affects all versions of the Nested Pages plugin up to and including version 3.2.7. The developers of the plugin released a security fix in version 3.2.8 and responsibly published the details of the security update in their changelog.
The official changelog documents the security fix:
“Security update addressing CSRF issue in plugin settings”
Read the advisory at Wordfence:
Nested Pages <= 3.2.7 – Cross-Site Request Forgery to Local File Inclusion
Read the advisory at the NVD:
CVE-2024-5943 Detail
Featured Image by Shutterstock/Dean Drobot
I have 25 years hands-on experience in SEO and have kept on  top of the evolution of search every step …
Conquer your day with daily search marketing news.
Join Our Newsletter.
Get your daily dose of search know-how.
In a world ruled by algorithms, SEJ brings timely, relevant information for SEOs, marketers, and entrepreneurs to optimize and grow their businesses — and careers.
Copyright © 2024 Search Engine Journal. All rights reserved. Published by Alpha Brand Media.

source

Leave a Reply

Your email address will not be published. Required fields are marked *