CVE-2024-12386
Published: 12 February 2025
Summary
CVE-2024-12386 is a high-severity CSRF (CWE-352) vulnerability in Kevonadonis Wp Abstracts. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 29.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-12386 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting the WP Abstracts plugin for WordPress in all versions up to and including 2.7.3. The issue arises from missing nonce validation on multiple functions within the plugin, earning a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H). Published on 2025-02-12, it enables unauthorized actions when nonce checks are bypassed.
Unauthenticated attackers can exploit this vulnerability by crafting a forged request and tricking a site administrator into executing it, such as by clicking a malicious link. Successful exploitation allows the deletion of arbitrary accounts, resulting in high integrity and availability impacts without requiring prior privileges, though it depends on user interaction.
Mitigation details are provided in advisories from the WordPress plugins trac (changeset 3238664), the plugin's developer page on WordPress.org, and Wordfence threat intelligence. Security practitioners should review these sources and update the WP Abstracts plugin to a version beyond 2.7.3 to address the missing nonce validation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-50820
Vulnerability details
The WP Abstracts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.3. This is due to missing nonce validation on multiple functions. This makes it possible for unauthenticated attackers to delete arbitrary…
more
accounts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF requires delivery via malicious link (T1204.001) often through spearphishing (T1566.002) and directly enables account deletion (T1531).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 requires mechanisms such as anti-CSRF tokens or nonces to protect session authenticity, directly mitigating the missing nonce validation that enables forged requests in CVE-2024-12386.
SI-10 enforces validation of all information inputs, including nonce parameters on plugin functions, preventing unauthenticated attackers from successfully submitting forged requests.
SI-2 mandates timely identification, reporting, and correction of software flaws like the missing nonce checks in WP Abstracts up to version 2.7.3, enabling patching to eliminate the vulnerability.