CVE-2024-7863
Favicon Generator < 2.1 - Arbitrary File Upload via CSRF
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The Favicon Generator (CLOSED) WordPress plugin before 2.1 does not validate files to be uploaded and does not have CSRF checks, which could allow attackers to make logged in admin upload arbitrary files such as PHP on the server
The Favicon Generator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the output_sub_admin_page_0 function. This makes it possible for unauthenticated attackers to upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The plugin author deleted the functionality of the plugin to patch this issue and close the plugin, we recommend seeking an alternative to this plugin.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2024-08-15 CVE Reserved
- 2024-08-23 CVE Published
- 2024-09-13 CVE Updated
- 2024-09-13 First Exploit
- 2024-09-28 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://wpscan.com/vulnerability/5e814b02-3870-4742-905d-ec03b0d31add | 2024-09-13 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Unknown Search vendor "Unknown" | Favicon Generator (CLOSED) Search vendor "Unknown" for product "Favicon Generator (CLOSED)" | < 2.1 Search vendor "Unknown" for product "Favicon Generator (CLOSED)" and version " < 2.1" | en |
Affected
| ||||||