ByteOS Network

Vulnerability Details :

CVE-2024-2858

Assigner-WPScan

Assigner Org ID-1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81

Published At-15 Apr, 2024 | 05:00

Updated At-01 Aug, 2024 | 19:25

Simple Buttons Creator <= 1.04 - Aribtrary Button Deletion via CSRF

The Simple Buttons Creator WordPress plugin through 1.04 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:WPScan

Assigner Org ID:1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81

Published At:15 Apr, 2024 | 05:00

Updated At:01 Aug, 2024 | 19:25

▼CVE Numbering Authority (CNA)

Simple Buttons Creator <= 1.04 - Aribtrary Button Deletion via CSRF

The Simple Buttons Creator WordPress plugin through 1.04 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

Affected Products

Vendor

Unknown

Product

Simple Buttons Creator

Default Status

affected

Versions

Affected

From 0 through 1.04 (semver)

Problem Types

Type	CWE ID	Description
CWE	CWE-352	CWE-352 Cross-Site Request Forgery (CSRF)

Type: CWE

CWE ID: CWE-352

Description: CWE-352 Cross-Site Request Forgery (CSRF)

Credits

finder

Bob Matyas

coordinator

WPScan

References

Hyperlink	Resource
https://wpscan.com/vulnerability/43297210-17a6-4b51-b8ca-32ceef9fc09a/	exploit vdb-entry technical-description

Hyperlink: https://wpscan.com/vulnerability/43297210-17a6-4b51-b8ca-32ceef9fc09a/

Resource:

exploit

vdb-entry

technical-description

▼Authorized Data Publishers (ADP)

1. CISA ADP Vulnrichment

Affected Products

Vendor

wordpress_plugin

Product

simple_buttons_creator

CPEs

cpe:2.3:a:wordpress_plugin:simple_buttons_creator:*:*:*:*:*:*:*:*

Default Status

unknown

Versions

Affected

From 0 through 1.04 (semver)

Metrics

Version	Base score	Base severity	Vector
3.1	4.8	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Version: 3.1

Base score: 4.8

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Metrics Other Info

2. CVE Program Container

References

Hyperlink	Resource
https://wpscan.com/vulnerability/43297210-17a6-4b51-b8ca-32ceef9fc09a/	exploit vdb-entry technical-description x_transferred

Hyperlink: https://wpscan.com/vulnerability/43297210-17a6-4b51-b8ca-32ceef9fc09a/

Resource:

exploit

vdb-entry

technical-description

x_transferred

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:contact@wpscan.com

Published At:15 Apr, 2024 | 05:15

Updated At:08 May, 2025 | 20:31

The Simple Buttons Creator WordPress plugin through 1.04 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	4.8	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Type: Secondary

Version: 3.1

Base score: 4.8

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

CPE Matches

robbychen>>simple_buttons_creator>>Versions up to 1.04(inclusive)

cpe:2.3:a:robbychen:simple_buttons_creator:*:*:*:*:*:wordpress:*:*

Weaknesses

CWE ID	Type	Source
CWE-352	Primary	nvd@nist.gov

CWE ID: CWE-352

Type: Primary

Source: nvd@nist.gov

References

Hyperlink	Source	Resource
https://wpscan.com/vulnerability/43297210-17a6-4b51-b8ca-32ceef9fc09a/	contact@wpscan.com	Exploit Third Party Advisory
https://wpscan.com/vulnerability/43297210-17a6-4b51-b8ca-32ceef9fc09a/	af854a3a-2127-422b-91ae-364da2661108	Exploit Third Party Advisory

Hyperlink: https://wpscan.com/vulnerability/43297210-17a6-4b51-b8ca-32ceef9fc09a/

Source: contact@wpscan.com

Resource:

Exploit

Third Party Advisory

Hyperlink: https://wpscan.com/vulnerability/43297210-17a6-4b51-b8ca-32ceef9fc09a/

Source: af854a3a-2127-422b-91ae-364da2661108

Resource:

Exploit

Third Party Advisory

Similar CVEs

6Records found

CVE-2024-3972

Matching Score-6

Assigner-WPScan

View Details

Matching Score-6

Assigner-WPScan

CVSS Score-5.7||MEDIUM

EPSS-0.05% / 14.91%

7 Day CHG~0.00%

Published-14 Jun, 2024 | 06:00

Updated-01 Aug, 2024 | 20:26

Similarity <= 3.0 - Stored XSS via CSRF

The Similarity WordPress plugin through 3.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

Vendor-davidjmiller Unknown wordpress_plugin

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE ID-CWE-352

Cross-Site Request Forgery (CSRF)

CVE-2024-2857

Matching Score-6

Assigner-WPScan

View Details

Matching Score-6

Assigner-WPScan

CVSS Score-6.1||MEDIUM

EPSS-0.17% / 39.06%

7 Day CHG~0.00%

Published-15 Apr, 2024 | 05:00

Updated-08 May, 2025 | 20:31

Simple Buttons Creator <= 1.04 - Unauthenticated Stored XSS

The Simple Buttons Creator WordPress plugin through 1.04 does not have any authorisation as well as CSRF in its add button function, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins.

Vendor-robbychen Unknown wordpress_plugin

Product-simple_buttons_creator Simple Buttons Creator simple_buttons_creator

CWE ID-CWE-352

Cross-Site Request Forgery (CSRF)

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2024-8043

Matching Score-6

Assigner-WPScan

View Details

Matching Score-6

Assigner-WPScan

CVSS Score-5.7||MEDIUM

EPSS-0.04% / 10.36%

7 Day CHG~0.00%

Published-17 Sep, 2024 | 06:00

Updated-27 Sep, 2024 | 18:22

Vikinghammer Tweet <= 0.2.4 - Stored XSS via CSRF

The Vikinghammer Tweet WordPress plugin through 0.2.4 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

Vendor-seanschulte Unknown wordpress_plugin

Product-vikinghammer_tweet Vikinghammer Tweet vikinghammer_tweet

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE ID-CWE-352

Cross-Site Request Forgery (CSRF)

CVE-2024-8044

Matching Score-6

Assigner-WPScan

View Details

Matching Score-6

Assigner-WPScan

CVSS Score-5.7||MEDIUM

EPSS-0.05% / 14.81%

7 Day CHG~0.00%

Published-17 Sep, 2024 | 06:00

Updated-20 Sep, 2024 | 12:31

infolinks Ad Wrap <= 1.0.2 - Settings Update via CSRF

The infolinks Ad Wrap WordPress plugin through 1.0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Vendor-Unknown wordpress_plugin

Product-infolinks Ad Wrap infolinks_ad_wrap

CWE ID-CWE-352

Cross-Site Request Forgery (CSRF)

CVE-2024-6244

Matching Score-6

Assigner-WPScan

View Details

Matching Score-6

Assigner-WPScan

CVSS Score-8.8||HIGH

EPSS-2.79% / 85.52%

7 Day CHG~0.00%

Published-22 Jul, 2024 | 06:00

Updated-19 Mar, 2025 | 20:15

pz-frontend-manager < 1.0.6 - CSRF change user profile picture

The PZ Frontend Manager WordPress plugin before 1.0.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

Vendor-projectzealous Unknown wordpress_plugin

Product-pz_frontend_manager PZ Frontend Manager pz_frontend_manager

CWE ID-CWE-352

Cross-Site Request Forgery (CSRF)

CVE-2024-8051

Matching Score-6

Assigner-WPScan

View Details

Matching Score-6

Assigner-WPScan

CVSS Score-5.7||MEDIUM

EPSS-0.04% / 11.38%

7 Day CHG~0.00%

Published-17 Sep, 2024 | 06:00

Updated-27 Sep, 2024 | 18:19

Special Feed Items <= 1.0.1 - Stored XSS via CSRF

The Special Feed Items WordPress plugin through 1.0.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

Vendor-moc Unknown wordpress_plugin

Product-special_feed_items Special Feed Items special_feed_items

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE ID-CWE-352

Cross-Site Request Forgery (CSRF)

CVE-2024-2858

Credits

Simple Buttons Creator <= 1.04 - Aribtrary Button Deletion via CSRF

Vendors

Products

Metrics (CVSS)

Weaknesses

Attack Patterns

Solution/Workaround

References

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Affected

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History

Similar CVEs