Blocksy Companion Vulnerability – Cross-Site Request Forgery – CVE-2024-31932 | WordPress Plugin Vulnerability Report
Plugin Name: Blocksy Companion
Key Information:
- Software Type: Plugin
- Software Slug: blocksy-companion
- Software Status: Active
- Software Author: creativethemeshq
- Software Downloads: 7,114,824
- Active Installs: 200,000
- Last Updated: April 24, 2024
- Patched Versions: 2.0.29
- Affected Versions: <= 2.0.28
Vulnerability Details:
- Name: Blocksy Companion <= 2.0.28
- Title: Cross-Site Request Forgery
- Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- CVE: CVE-2024-31932
- CVSS Score: 5.3
- Publicly Published: April 10, 2024
- Researcher: Vladislav Pokrovsky (ΞX.MI) - Independent AppSec Researcher
- Description: The Blocksy Companion plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.28. This vulnerability arises from missing or incorrect nonce validation on several functions, allowing unauthenticated attackers to perform unauthorized actions via a forged request, provided they can deceive a site administrator into clicking a link.
Summary:
The Blocksy Companion plugin, integral for enhancing WordPress site capabilities, contains a vulnerability in versions up to and including 2.0.28 that allows unauthorized actions through forged requests due to inadequate nonce validation. This critical issue has been resolved in the recently released patch version 2.0.29.
Detailed Overview:
This vulnerability poses a significant risk as it enables unauthenticated attackers to manipulate the site's functionality by exploiting the trust between the website and the user's browser. The flaw could potentially lead to changes in site settings, content alterations, or other unauthorized actions without the site administrator's consent. The resolution in version 2.0.29 addresses these nonce validation issues, thus securing the plugin from similar vulnerabilities in the future.
Advice for Users:
- Immediate Action: It is crucial for users of the Blocksy Companion plugin to update to the patched version, 2.0.29, immediately to mitigate the risk associated with this vulnerability.
- Check for Signs of Vulnerability: Site administrators should inspect their site’s logs for any unauthorized or unusual activities that might indicate this vulnerability has been exploited.
- Alternate Plugins: While the patched version is secure, users may consider evaluating other feature-rich plugins that consistently demonstrate robust security measures as an additional precaution.
- Stay Updated: Regular updates to plugins and other website components are essential to maintaining security and functionality, protecting against known vulnerabilities.
Conclusion:
The quick response by the developers of Blocksy Companion to patch the CSRF vulnerability highlights the importance of timely software updates. Users are advised to ensure they are running version 2.0.29 or later to safeguard their WordPress installations. This incident underlines the critical nature of ongoing vigilance and proactive security measures in managing a secure and reliable digital presence.
References:
- Wordfence Vulnerability Report on Blocksy Companion
- Wordfence Threat Intelligence on Blocksy Companion