CVE-2024-3481

Published May 2, 2024

Last updated 10 months ago

CVSS medium 5.2

Overview

Description
The Counter Box WordPress plugin before 1.2.4 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such deleting counters via CSRF attacks
Source
contact@wpscan.com
NVD status
Analyzed
Products
counter_box

Risk scores

CVSS 3.1

Type
Secondary
Base score
5.2
Impact score
4.2
Exploitability score
0.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:N
Severity
MEDIUM

Weaknesses

nvd@nist.gov
CWE-352

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. The Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 2.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.CVE-2024-13901
  2. Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Counter Box allows Cross Site Request Forgery. This issue affects Counter Box: from n/a through 2.0.5.CVE-2025-24715

References

Sources include official advisories and independent security research.