CVE-2024-11640: 
WordPress vulnerability analysis and mitigation

The VikRentCar Car Rental Management System plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in versions up to and including 1.4.2. The vulnerability was discovered and reported by Wordfence, with the CVE identifier CVE-2024-11640 being assigned on March 8, 2025 (NVD CVE).

The vulnerability stems from missing or incorrect nonce validation on the 'save' function within the plugin. The issue has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-352: Cross-Site Request Forgery (NVD CVE).

Successful exploitation of this vulnerability allows attackers with subscriber-level privileges and above to upload arbitrary files on the affected site's server, potentially enabling remote code execution. Additionally, unauthenticated attackers can change plugin access privileges if they can trick a site administrator into performing specific actions, such as clicking on a malicious link (NVD CVE).

A security patch has been released that adds CSRF-proof tokens and related validation. The update also includes restrictions on allowed file types for upload across all available functions. Users should upgrade to version 1.4.3 or later to address this vulnerability (WordPress Plugin).