CVE-2024-10634 is a medium severity vulnerability affecting the Nokaut Offers Box WordPress plugin, specifically versions up to 1.4.0. The vulnerability arises due to the absence of Cross-Site Request Forgery (CSRF) protections when updating the plugin's settings. This lack of CSRF validation allows an attacker to craft malicious requests that, if executed by a logged-in WordPress administrator, can reset the plugin's settings without the administrator's consent. The vulnerability is also associated with CWE-79 (Cross-Site Scripting) and CWE-352 (Cross-Site Request Forgery), indicating that the plugin may be vulnerable to XSS attacks as well, although the primary issue described is CSRF. The CVSS 3.1 base score is 4.3, reflecting a medium severity level, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), unchanged scope (S:U), no confidentiality impact (C:N), limited integrity impact (I:L), and no availability impact (A:N). The vulnerability does not require prior authentication but does require that the victim be a logged-in admin who interacts with a malicious link or page. There are no known exploits in the wild and no patches currently available, which suggests that organizations using this plugin should be vigilant and consider mitigation strategies until an official fix is released. The plugin is used within WordPress environments, which are common for websites, including e-commerce and marketing sites, where Nokaut Offers Box is likely used to display offers or product deals. Exploitation could lead to unauthorized changes in plugin configuration, potentially disrupting site functionality or enabling further attacks through manipulated plugin behavior or stored XSS vectors.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on WordPress sites with the Nokaut Offers Box plugin for e-commerce or marketing purposes. An attacker exploiting this vulnerability could reset plugin settings, potentially disabling critical promotional features or altering the display of offers, which could degrade user experience and trust. Additionally, if combined with other vulnerabilities or malicious payloads, it could facilitate further attacks such as persistent XSS, leading to session hijacking, credential theft, or site defacement. This could result in reputational damage, loss of customer trust, and potential regulatory scrutiny under GDPR if personal data is compromised or if the website's integrity is undermined. The requirement for a logged-in admin to interact with a malicious link reduces the likelihood of widespread automated exploitation but does not eliminate risk, especially in environments with multiple administrators or where phishing attacks are common. The absence of patches means organizations must rely on compensating controls to mitigate risk. Given the medium CVSS score and the nature of the vulnerability, the threat is moderate but should not be underestimated in sectors where website integrity and availability are critical.

1. Immediate mitigation should include restricting administrative access to trusted personnel only and enforcing strong multi-factor authentication (MFA) to reduce the risk of compromised admin accounts. 2. Educate administrators about phishing and social engineering risks to prevent inadvertent interaction with malicious links that could trigger CSRF attacks. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the Nokaut Offers Box plugin endpoints, especially those attempting to update plugin settings without valid CSRF tokens. 4. Regularly monitor WordPress logs and plugin activity for unusual configuration changes or access patterns. 5. Where possible, disable or remove the Nokaut Offers Box plugin if it is not essential, or replace it with a more secure alternative until a patch is released. 6. Keep WordPress core and all plugins up to date to reduce the attack surface. 7. If custom development is possible, apply temporary CSRF protections by adding nonce verification or similar tokens to the plugin’s settings update process. 8. Monitor official Nokaut and WordPress security advisories for patch releases and apply them promptly once available.