CVE-2024-2040 – Himer - Social Questions and Answers < 2.1.1 - Arbitrary Group Joining via CSRF

https://notcve.org/view.php?id=CVE-2024-2040

The Himer WordPress theme before 2.1.1 does not have CSRF checks in some places, which could allow attackers to make users join private groups via a CSRF attack El tema Himer WordPress anterior a 2.1.1 no tiene comprobaciones CSRF en algunos lugares, lo que podría permitir a los atacantes hacer que los usuarios se unan a grupos privados mediante un ataque CSRF. The Himer theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.0. This is due to missing or incorrect nonce validation on the wpqa_join_group AJAX action. This makes it possible for unauthenticated attackers to join private groups via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://github.com/AbdElRahmanEzzat1995/CVE-2024-20404 https://github.com/AbdElRahmanEzzat1995/CVE-2024-20405 https://wpscan.com/vulnerability/1b97bbf0-c7d1-4e6c-bb80-f9bf45fbfe1e • CWE-352: Cross-Site Request Forgery (CSRF) •