CVE-2024-4218 - Vulnerability Details - OpenCVE

The AffiEasy plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.7. This is due to plugin improperly releasing the tagged and patched version of the plugin - the vulnerable version is used as the core files, while the patched version was included in a 'trunk' folder. This makes it possible for unauthenticated attackers to perform a variety of actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Wordpress	Wordpress

No data.

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/affieasy/tags/1.1.6
https://www.wordfence.com/threat-intel/vulnerabilities/id/095a2262-1da2-4f79-896c-6d48eb079a7b?source=cve

History

Tue, 15 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00614}`	epss `{'score': 0.0047}`

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-05-30T04:31:54.404Z

Updated: 2024-08-01T20:33:53.009Z

Reserved: 2024-04-25T21:17:59.207Z

Link: CVE-2024-4218

Vulnrichment

Updated: 2024-08-01T20:33:53.009Z

NVD

Status : Awaiting Analysis

Published: 2024-05-30T05:15:56.183

Modified: 2024-11-21T09:42:24.667

Link: CVE-2024-4218

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-4218", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-04-25T21:17:59.207Z", "datePublished": "2024-05-30T04:31:54.404Z", "dateUpdated": "2024-08-01T20:33:53.009Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-05-30T04:31:54.404Z"}, "affected": [{"vendor": "perrinalexandre05", "product": "AffiEasy", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "1.1.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The AffiEasy plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.7. This is due to plugin improperly releasing the tagged and patched version of the plugin - the vulnerable version is used as the core files, while the patched version was included in a 'trunk' folder. This makes it possible for unauthenticated attackers to perform a variety of actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "AffiEasy <= 1.1.7 - Cross-Site Request Forgery to Various Actions", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/095a2262-1da2-4f79-896c-6d48eb079a7b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/affieasy/tags/1.1.6"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Benedictus Jovan"}], "timeline": [{"time": "2024-05-29T15:52:55.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-4218", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-30T14:28:21.452487Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:53:36.758Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:33:53.009Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/095a2262-1da2-4f79-896c-6d48eb079a7b?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/affieasy/tags/1.1.6", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/095a2262-1da2-4f79-896c-6d48eb079a7b?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/affieasy/tags/1.1.6", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:33:53.009Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-4218", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-30T14:28:21.452487Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-30T14:28:57.349Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "AffiEasy <= 1.1.7 - Cross-Site Request Forgery to Various Actions", "credits": [{"lang": "en", "type": "finder", "value": "Benedictus Jovan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "perrinalexandre05", "product": "AffiEasy", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.1.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-05-29T15:52:55.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/095a2262-1da2-4f79-896c-6d48eb079a7b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/affieasy/tags/1.1.6"}], "descriptions": [{"lang": "en", "value": "The AffiEasy plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.7. This is due to plugin improperly releasing the tagged and patched version of the plugin - the vulnerable version is used as the core files, while the patched version was included in a 'trunk' folder. This makes it possible for unauthenticated attackers to perform a variety of actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-05-30T04:31:54.404Z"}}}, "cveMetadata": {"cveId": "CVE-2024-4218", "state": "PUBLISHED", "dateUpdated": "2024-08-01T20:33:53.009Z", "dateReserved": "2024-04-25T21:17:59.207Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-05-30T04:31:54.404Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "The AffiEasy plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.7. This is due to plugin improperly releasing the tagged and patched version of the plugin - the vulnerable version is used as the core files, while the patched version was included in a 'trunk' folder. This makes it possible for unauthenticated attackers to perform a variety of actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento AffiEasy para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 1.1.7 incluida. Esto se debe a que el complemento public\u00f3 incorrectamente la versi\u00f3n etiquetada y parcheada del complemento: la versi\u00f3n vulnerable se usa como archivos principales, mientras que la versi\u00f3n parcheada se incluy\u00f3 en una carpeta \"troncal\". Esto hace posible que atacantes no autenticados realicen una variedad de acciones a trav\u00e9s de una solicitud falsificada, siempre que puedan enga\u00f1ar al administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2024-4218", "lastModified": "2024-11-21T09:42:24.667", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "[email protected]", "type": "Secondary"}]}, "published": "2024-05-30T05:15:56.183", "references": [{"source": "[email protected]", "url": "https://plugins.trac.wordpress.org/browser/affieasy/tags/1.1.6"}, {"source": "[email protected]", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/095a2262-1da2-4f79-896c-6d48eb079a7b?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://plugins.trac.wordpress.org/browser/affieasy/tags/1.1.6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/095a2262-1da2-4f79-896c-6d48eb079a7b?source=cve"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis"}