[Japanese]

JVNDB-2024-000066

WordPress plugins "WP Tweet Walls" and "Sola Testimonials" vulnerable to cross-site request forgery

Overview

WordPress plugins "WP Tweet Walls" and "Sola Testimonials" provided by Sola Plugins contain a cross-site request forgery vulnerability (CWE-352).

These vulnerabilities are reported by the following reporters, and
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2024-38344: Yuya Asato of GMO Cybersecurity by Ierae, Inc.
CVE-2024-38345: Yuta Takanashi
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
Affected Products


Sola Plugins
  • Sola Testimonials/Super Testimonials versions prior to 3.0.0 (CVE-2024-38345)
  • WP Tweet Walls versions prior to 1.0.4 (CVE-2024-38344)

Impact

While a user logs in to the WordPress site where the affected plugin is enabled, accessing a malicious page may make the user perform unintended operations on the WordPress site.
Solution

[Update the Software]
Update the software to the latest version according to the information provided by the developer.

Sola Testimonials was updated to version 3.0.0 and renamed to Super Testimonials in November, 2020.
Vendor Information

Sola Plugins
CWE (What is CWE?)

  1. Cross-Site Request Forgery(CWE-352) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2024-38344
  2. CVE-2024-38345
References

  1. JVN : JVN#34977158
Revision History

  • [2024/06/26]
      Web page was published

Date Public2024/06/26
Date First Published2024/06/26
Date Last Updated2024/06/26