CVE-2024-0790: 
WordPress vulnerability analysis and mitigation

The WOLF – WordPress Posts Bulk Editor and Manager Professional plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability affecting all versions up to and including 1.0.8.1. The vulnerability was discovered on February 5, 2024, and received a CVSS v3.1 base score of 5.4 (Medium) (NVD).

The vulnerability stems from missing or incorrect nonce validation on several functions including wpbe_create_new_term, wpbe_update_tax_term, wpbe_delete_tax_term, wpbe_save_options, wpbe_bulk_delete_posts_count, wpbe_bulk_delete_posts, and wpbe_save_meta. This security flaw has been assigned CWE-352 (Cross-Site Request Forgery) classification (NVD).

The vulnerability allows unauthenticated attackers to perform various unauthorized actions through forged requests, including creating, modifying, and deleting taxonomy terms, updating plugin options, deleting posts, and modifying post metadata. These actions can only be executed if an administrator can be tricked into performing specific actions like clicking on a malicious link (NVD).

A patch has been released to address this vulnerability. Users should update to a version newer than 1.0.8.1 of the WOLF – WordPress Posts Bulk Editor and Manager Professional plugin (Wordfence).