CVE-2024-12555

Vulnerability

Overview The SIP Calculator plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 1.0. The root cause is the absence of nonce validation on a function, which is a standard security check to ensure that requests are intentionally made by the user. This oversight enables unauthenticated attackers to perform actions on behalf of an authenticated administrator without their consent [1].

Attack

Vector To exploit this vulnerability, an attacker must trick a site administrator into performing an action, such as clicking on a crafted link [1]. The attack does not require any authentication from the attacker, but it relies on social engineering to deceive a legitimate user. The forged request could trigger a state-changing operation or inject malicious web scripts into the WordPress installation.

Impact

Successful exploitation allows an attacker to inject arbitrary web scripts, which could lead to a wide range of malicious activities, including defacement, data theft, or further compromise of the site and its users. The vulnerability is classified as Medium severity with a CVSS v3 score of 6.1 [1].

Mitigation

As of the publication date (2024-12-14), the vendor has not released a patched version. Site administrators are advised to disable the plugin until a fix is available and to remain cautious of unexpected admin actions. The plugin's page does not indicate that a security update has been provided [1].