CVE-2024-11813
Severity CVSS v4.0:
Pending analysis
Type:
CWE-352
Cross-Site Request Forgery (CSRF)
Publication date:
04/12/2024
Last modified:
15/04/2026
Description
The Pulsating Chat Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.1. This is due to missing or incorrect nonce validation on the amin_chat_button_settings_page() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Impact
Base Score 3.x
6.10
Severity 3.x
MEDIUM
References to Advisories, Solutions, and Tools
- https://plugins.trac.wordpress.org/browser/amin-chat-button/trunk/chat-button.php#L24
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3224816%40amin-chat-button&new=3224816%40amin-chat-button&sfp_email=&sfph_mail=
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3232038%40amin-chat-button&new=3232038%40amin-chat-button&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/cea8295b-b4be-4a95-9137-ad2033a5169d?source=cve