Unyson Vulnerability – Cross-Site Request Forgery – CVE-2024-34814 | WordPress Plugin Vulnerability Report
Plugin Name: Unyson
Key Information:
- Software Type: Plugin
- Software Slug: unyson
- Software Status: Removed
- Software Author: unyson
- Software Downloads: 3,375,089
- Active Installs: 200,000
- Last Updated: May 9, 2024
- Patched Versions: 2.7.31
- Affected Versions: <= 2.7.30
Vulnerability Details:
- Name: Unyson <= 2.7.29 - Cross-Site Request Forgery
- Type: Cross-Site Request Forgery (CSRF)
- CVE: CVE-2024-34814
- CVSS Score: 4.3 (Medium)
- Publicly Published: May 9, 2024
- Researcher: Dhabaleshwar Das
- Description: The Unyson plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.30. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to perform an unknown action granted they can trick a site administrator into performing an action such as clicking on a link.
Summary:
The Unyson plugin for WordPress has a vulnerability in versions up to and including 2.7.30 that allows for Cross-Site Request Forgery (CSRF) attacks due to missing or incorrect nonce validation on an unknown function. This vulnerability has been patched in version 2.7.31.
Detailed Overview:
Researcher Dhabaleshwar Das discovered a Cross-Site Request Forgery (CSRF) vulnerability in the Unyson plugin for WordPress. The vulnerability exists in all versions up to and including 2.7.30 and is caused by missing or incorrect nonce validation on an unknown function. This vulnerability allows unauthenticated attackers to perform an unknown action if they can trick a site administrator into performing an action, such as clicking on a link. The vulnerability has been assigned a CVSS score of 4.3 (Medium) and was publicly published on May 9, 2024.
Advice for Users:
- Immediate Action: Users are encouraged to update their Unyson plugin to version 2.7.31 or later to mitigate this vulnerability.
- Check for Signs of Vulnerability: Users should review their site's activity logs for any suspicious actions or changes that may indicate a compromise.
- Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
- Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.
The prompt response from the Unyson developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 2.7.31 or later to secure their WordPress installations.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/unyson
Detailed Report:
Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.
Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.