CVE-2024-4390: CWE-863 Incorrect Authorization in averta Depicter — Popup & Slider Builder
The Slider and Carousel slider by Depicter plugin for WordPress is vulnerable to Arbitrary Nonce Generation in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers with contributor access and above, to generate a valid nonce for any WordPress action/function. This could be used to invoke functionality that is protected only by nonce checks.
AI Analysis
Technical Summary
The Slider and Carousel slider by Depicter WordPress plugin versions up to 3.0.2 contain an incorrect authorization vulnerability (CWE-863) that permits authenticated users with contributor-level access or above to arbitrarily generate valid nonces for any WordPress action or function. Nonces are intended to protect against CSRF by validating user intent, but this flaw allows bypassing such protections by creating valid nonces without proper authorization. This vulnerability has a CVSS 3.1 base score of 6.5, indicating a medium severity impact primarily affecting confidentiality due to potential unauthorized action invocation. No patch or official remediation guidance is currently provided.
Potential Impact
An attacker with contributor or higher privileges can generate valid nonces for any WordPress action or function, potentially enabling them to perform actions that rely solely on nonce validation for authorization. This could lead to unauthorized invocation of protected functionality, impacting the confidentiality of the affected system. There is no indication of impact on integrity or availability. No known exploits are reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict contributor and higher user roles to trusted individuals only. Monitor for updates from the plugin vendor and apply patches promptly once released.
CVE-2024-4390: CWE-863 Incorrect Authorization in averta Depicter — Popup & Slider Builder
Description
The Slider and Carousel slider by Depicter plugin for WordPress is vulnerable to Arbitrary Nonce Generation in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers with contributor access and above, to generate a valid nonce for any WordPress action/function. This could be used to invoke functionality that is protected only by nonce checks.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Slider and Carousel slider by Depicter WordPress plugin versions up to 3.0.2 contain an incorrect authorization vulnerability (CWE-863) that permits authenticated users with contributor-level access or above to arbitrarily generate valid nonces for any WordPress action or function. Nonces are intended to protect against CSRF by validating user intent, but this flaw allows bypassing such protections by creating valid nonces without proper authorization. This vulnerability has a CVSS 3.1 base score of 6.5, indicating a medium severity impact primarily affecting confidentiality due to potential unauthorized action invocation. No patch or official remediation guidance is currently provided.
Potential Impact
An attacker with contributor or higher privileges can generate valid nonces for any WordPress action or function, potentially enabling them to perform actions that rely solely on nonce validation for authorization. This could lead to unauthorized invocation of protected functionality, impacting the confidentiality of the affected system. There is no indication of impact on integrity or availability. No known exploits are reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict contributor and higher user roles to trusted individuals only. Monitor for updates from the plugin vendor and apply patches promptly once released.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-05-01T15:26:59.549Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6b8ab7ef31ef0b55675a
Added to database: 2/25/2026, 9:37:14 PM
Last enriched: 4/9/2026, 7:43:45 AM
Last updated: 4/12/2026, 8:36:07 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.