CVE-2024-10593: 
WordPress vulnerability analysis and mitigation

The WPForms WordPress plugin (versions up to and including 1.9.1.6) contains a Cross-Site Request Forgery (CSRF) vulnerability. The vulnerability was discovered and disclosed on November 12, 2024, affecting the popular form builder plugin for WordPress. The issue stems from missing or incorrect nonce validation in the process_admin_ui function (NVD).

The vulnerability is classified as a Cross-Site Request Forgery (CSRF) with a CVSS v3.1 base score of 4.3 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The security flaw exists in the process_admin_ui function where proper nonce validation is either missing or incorrectly implemented (Wordfence).

If exploited, this vulnerability allows unauthenticated attackers to delete WPForm logs through forged requests. The attack requires social engineering as the attacker must trick a site administrator into performing specific actions, such as clicking on a malicious link (NVD).

Users should update their WPForms plugin to a version newer than 1.9.1.6 to address this vulnerability. The issue has been identified in the plugin's source code at specific locations in the Logs.php and ListTable.php files (WordPress Plugin).