CVE-2024-3475

HIGH

Sticky Buttons < 3.2.4 - Cross-Site Request Forgery in Bulk Actions

Title source: llm
STIX 2.1

Description

The Sticky Buttons WordPress plugin before 3.2.4 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting buttons via CSRF attacks

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/bf540242-5306-4c94-ad50-782d0d5b127f/

Scores

CVSS v3 7.5
EPSS 0.0028
EPSS Percentile 20.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-352
Status published
Products (1)
wow-company/sticky_buttons < 3.2.4
Published May 02, 2024
Tracked Since Feb 18, 2026