Lucene search

WPScanVULNRICHMENT:CVE-2024-7864

HistorySep 13, 2024 - 6:00 a.m.

CVE-2024-7864 Favicon Generator < 2.1 - Arbitrary File Deletion via CSRF

2024-09-1306:00:04

WPScan

github.com

cve-2024-7864

favicon generator

arbitrary file deletion

csrf

wordpress plugin

path validation

server security

AI Score

7.2

Confidence

High

EPSS

0.001

Percentile

18.6%

SSVC

Exploitation

poc

Automatable

Technical Impact

partial

JSON

The Favicon Generator (CLOSED) WordPress plugin before 2.1 does not have CSRF and path validation in the output_sub_admin_page_0() function, allowing attackers to make logged in admins delete arbitrary files on the server

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:pixeljar:favicon_generator:*:*:*:*:*:*:*:*"
    ],
    "vendor": "pixeljar",
    "product": "favicon_generator",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "2.1",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

wpscan.com/vulnerability/6ce62e78-04a4-46b2-b97f-c4ef8f3258c3/