CVE-2024-13339

The DeBounce Email Validator plugin for WordPress, available on the WordPress plugin repository [1], is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 5.8.0. The vulnerability stems from missing or incorrect nonce validation on the 'debounce_email_validator' settings page, which allows an attacker to forge requests that perform state-changing actions without the administrator's consent.

To exploit this vulnerability, an unauthenticated attacker must trick a site administrator into clicking a malicious link or visiting a crafted page. The forged request can then update plugin settings or inject malicious web scripts, as the request is processed with the administrator's privileges. No authentication is required for the attacker, only social engineering of a privileged user.

Successful exploitation enables an attacker to modify plugin configuration, potentially disabling email validation or redirecting data, and to inject arbitrary web scripts (stored XSS) that execute in the context of the administrator's session. This could lead to further compromise of the WordPress site, including theft of session cookies or privilege escalation.

As of the publication date, no patched version has been announced. Users running version 5.8.0 or earlier should monitor the plugin's update channel for a fix and consider implementing additional CSRF protections, such as using a Web Application Firewall (WAF) or temporarily disabling the plugin until a security update is available.