CVE-2024-12636: 
WordPress vulnerability analysis and mitigation

The WP Legal Pages plugin for WordPress (Privacy Policy Generator, Terms & Conditions Generator) contains a Cross-Site Request Forgery (CSRF) vulnerability in versions up to and including 3.2.6. The vulnerability was discovered and disclosed on December 25, 2024, and has been assigned CVE-2024-12636. The issue affects the plugin's popup deletion functionality (NVD).

The vulnerability stems from missing or incorrect nonce validation in the 'createpopupdelete_process' function. This security flaw has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The vulnerability is classified as CWE-352: Cross-Site Request Forgery (NVD).

If exploited, this vulnerability allows unauthenticated attackers to delete popups from the website through forged requests. The attack requires user interaction, specifically requiring a site administrator to click on a malicious link (NVD).

Website administrators running affected versions of the WP Legal Pages plugin should update to a version newer than 3.2.6 when available. In the meantime, administrators should be cautious about clicking links while logged into their WordPress dashboard (NVD).