CVE-2024-12170

Published Jan 7, 2025

Last updated 2 months ago

CVSS medium 5.4

Overview

Description
The ViewMedica 9 plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.15. This is due to missing or incorrect nonce validation on the 'Viewmedica-Admin' page. This makes it possible for unauthenticated attackers to inject arbitrary SQL queries via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source
security@wordfence.com
NVD status
Received

Risk scores

CVSS 3.1

Type
Primary
Base score
5.4
Impact score
2.5
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Severity
MEDIUM

Weaknesses

security@wordfence.com
CWE-352

Social media

Hype score
Not currently trending

  1. CVE-2024-12170 Unauthenticated SQL Injection via CSRF in ViewMedica WordPress Plugin The ViewMedica 9 plugin for WordPress has a Cross-Site Request Forgery vulnerability in versions up to 1.4.15. This happens bec... https://t.co/ngTiL0aYDt

    @VulmonFeeds

    7 Jan 2025

    68 Impressions

    1 Retweet

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  2. CVE-2024-12170 The ViewMedica 9 plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.15. This is due to missing or incorrect no… https://t.co/CJzWuYk2fs

    @CVEnew

    7 Jan 2025

    231 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References