CVE-2024-11640
Published: 08 March 2025
Summary
CVE-2024-11640 is a high-severity CSRF (CWE-352) vulnerability in E4Jconnect Vikrentcar. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires mechanisms like nonces to ensure session authenticity, directly preventing CSRF attacks via forged requests lacking proper validation.
Mandates validation of information inputs including CSRF tokens, blocking forged requests that attempt to alter plugin access privileges.
Ensures timely identification, reporting, and patching of flaws such as missing nonce validation in vulnerable plugins like VikRentCar.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vuln in public-facing WordPress plugin enables exploitation via malicious link to alter settings, facilitating arbitrary file upload (web shell) for RCE.
NVD Description
The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing or incorrect nonce validation on the 'save' function. This makes it possible…
more
for unauthenticated attackers to change plugin access privileges via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows attackers with subscriber-level privileges and above to upload arbitrary files on the affected site's server which may make remote code execution possible.
Deeper analysisAI
CVE-2024-11640 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting the VikRentCar Car Rental Management System plugin for WordPress in all versions up to and including 1.4.2. The issue stems from missing or incorrect nonce validation in the plugin's 'save' function. Published on 2025-03-08, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and potential for significant confidentiality, integrity, and availability impacts.
Unauthenticated attackers can exploit this vulnerability by tricking a site administrator into performing an action, such as clicking a malicious link, which submits a forged request to alter plugin access privileges. Successful exploitation enables attackers with subscriber-level privileges or higher to upload arbitrary files to the affected site's server, potentially leading to remote code execution.
Mitigation details are available in advisories from Wordfence and the WordPress plugin repository. The patch is implemented in changeset 3225040, accessible at https://plugins.trac.wordpress.org/changeset/3225040/vikrentcar, and further intelligence is provided at https://www.wordfence.com/threat-intel/vulnerabilities/id/4a4c085a-1601-4c1a-ac17-0f2cf5d02489?source=cve. Security practitioners should prioritize updating the plugin beyond version 1.4.2 and educate administrators on verifying requests.
Details
- CWE(s)