CVE-2024-0790: CWE-352 Cross-Site Request Forgery (CSRF) in realmag777 WOLF – WordPress Posts Bulk Editor and Manager Professional
The WOLF – WordPress Posts Bulk Editor and Manager Professional plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8.1. This is due to missing or incorrect nonce validation on the wpbe_create_new_term, wpbe_update_tax_term, and wpbe_delete_tax_term functions. This makes it possible for unauthenticated attackers to create, modify and delete taxonomy terms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Furthermore, the functions wpbe_save_options, wpbe_bulk_delete_posts_count, wpbe_bulk_delete_posts, and wpbe_save_meta are vulnerable to Cross-Site Request Forgery allowing for plugin options update, post count deletion, post deletion and modification of post metadata via forged request.
AI Analysis
Technical Summary
CVE-2024-0790 identifies multiple CSRF vulnerabilities in the WOLF – WordPress Posts Bulk Editor and Manager Professional plugin for WordPress, affecting all versions up to 1.0.8.1. The vulnerabilities stem from missing or incorrect nonce validation in functions such as wpbe_create_new_term, wpbe_update_tax_term, wpbe_delete_tax_term, wpbe_save_options, wpbe_bulk_delete_posts_count, wpbe_bulk_delete_posts, and wpbe_save_meta. These flaws allow attackers to perform unauthorized actions like creating, modifying, or deleting taxonomy terms, updating plugin options, deleting posts, and modifying post metadata by tricking an authenticated site administrator into submitting a malicious request. The CVSS 3.1 base score is 5.4, reflecting a medium impact primarily on integrity and availability, with no confidentiality impact. No known exploits in the wild have been reported, and no patch or remediation details are provided in the available data.
Potential Impact
An attacker can exploit these CSRF vulnerabilities to cause an authenticated site administrator to unknowingly perform unauthorized actions, including creating, modifying, or deleting taxonomy terms, updating plugin options, deleting posts, and modifying post metadata. This can lead to partial loss of data integrity and availability within the affected WordPress site. There is no direct confidentiality impact reported. The overall severity is medium (CVSS 5.4).
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should consider disabling or limiting the use of the affected plugin or restricting administrative access to trusted users only. Additionally, implementing web application firewalls or CSRF protection mechanisms at the site level may help mitigate risk. Monitor vendor channels for updates or patches addressing these vulnerabilities.
CVE-2024-0790: CWE-352 Cross-Site Request Forgery (CSRF) in realmag777 WOLF – WordPress Posts Bulk Editor and Manager Professional
Description
The WOLF – WordPress Posts Bulk Editor and Manager Professional plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8.1. This is due to missing or incorrect nonce validation on the wpbe_create_new_term, wpbe_update_tax_term, and wpbe_delete_tax_term functions. This makes it possible for unauthenticated attackers to create, modify and delete taxonomy terms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Furthermore, the functions wpbe_save_options, wpbe_bulk_delete_posts_count, wpbe_bulk_delete_posts, and wpbe_save_meta are vulnerable to Cross-Site Request Forgery allowing for plugin options update, post count deletion, post deletion and modification of post metadata via forged request.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-0790 identifies multiple CSRF vulnerabilities in the WOLF – WordPress Posts Bulk Editor and Manager Professional plugin for WordPress, affecting all versions up to 1.0.8.1. The vulnerabilities stem from missing or incorrect nonce validation in functions such as wpbe_create_new_term, wpbe_update_tax_term, wpbe_delete_tax_term, wpbe_save_options, wpbe_bulk_delete_posts_count, wpbe_bulk_delete_posts, and wpbe_save_meta. These flaws allow attackers to perform unauthorized actions like creating, modifying, or deleting taxonomy terms, updating plugin options, deleting posts, and modifying post metadata by tricking an authenticated site administrator into submitting a malicious request. The CVSS 3.1 base score is 5.4, reflecting a medium impact primarily on integrity and availability, with no confidentiality impact. No known exploits in the wild have been reported, and no patch or remediation details are provided in the available data.
Potential Impact
An attacker can exploit these CSRF vulnerabilities to cause an authenticated site administrator to unknowingly perform unauthorized actions, including creating, modifying, or deleting taxonomy terms, updating plugin options, deleting posts, and modifying post metadata. This can lead to partial loss of data integrity and availability within the affected WordPress site. There is no direct confidentiality impact reported. The overall severity is medium (CVSS 5.4).
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should consider disabling or limiting the use of the affected plugin or restricting administrative access to trusted users only. Additionally, implementing web application firewalls or CSRF protection mechanisms at the site level may help mitigate risk. Monitor vendor channels for updates or patches addressing these vulnerabilities.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-01-22T20:30:54.313Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6de5b7ef31ef0b590497
Added to database: 2/25/2026, 9:47:17 PM
Last enriched: 4/9/2026, 11:48:02 AM
Last updated: 4/12/2026, 5:14:48 PM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.