How severe is CVE-2024-0624?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.3 out of 10.

What type of vulnerability is CVE-2024-0624?

This is classified as CWE-352, which is a common weakness in software security.

CVE-2024-0624 - MEDIUM Severity | CVSS 5.3

Vulnerability Description

The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.12.7. This is due to missing or incorrect nonce validation on the pmpro_update_level_order() function. This makes it possible for unauthenticated attackers to update the order of levels via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Related Vulnerabilities

CVE-2013-6365

MEDIUM

CVSS:5.3(Medium)

Horde Groupware Web mail 5.1.2 has CSRF with requests to change permissions

CWE-3522013

CVE-2018-10099

MEDIUM

CVSS:5.3(Medium)

Google Monorail before 2018-04-04 has a Cross-Site Search (XS-Search) vulnerability because CSV downloads are affected by CSRF, and calculations of download times (for requests with duplicated columns...

CWE-3522018

CVE-2018-19334

MEDIUM

CVSS:5.3(Medium)

Google Monorail before 2018-05-04 has a Cross-Site Search (XS-Search) vulnerability because CSV downloads are affected by CSRF, and calculations of download times (for requests with an unsupported axi...

CWE-3522018

CVE-2018-19335

MEDIUM

CVSS:5.3(Medium)

Google Monorail before 2018-06-07 has a Cross-Site Search (XS-Search) vulnerability because CSV downloads are affected by CSRF, and calculations of download times (for requests with a crafted groupby ...

CWE-3522018

CVE-2019-1003017

MEDIUM

CVSS:5.3(Medium)

A data modification vulnerability exists in Jenkins Job Import Plugin 3.0 and earlier in JobImportAction.java that allows attackers to copy jobs from a preconfigured other Jenkins instance, potentiall...

CWE-3522019

CVE-2019-19375

MEDIUM

CVSS:5.3(Medium)

In Octopus Deploy before 2019.10.7, in a configuration where SSL offloading is enabled, the CSRF cookie was sometimes sent without the secure attribute. (The fix for this was backported to LTS version...

CWE-3522019