CVE-2024-13883: 
WordPress vulnerability analysis and mitigation

The WPUpper Share Buttons plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability affecting all versions up to and including 3.51. The vulnerability was discovered by Noah Stead (TurtleBurg) and was publicly disclosed on February 20, 2025 (Wordfence).

The vulnerability stems from missing or incorrect nonce validation in the 'save_custom_css_request' function. The issue has been assigned a CVSS v3.1 score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The vulnerability is classified as CWE-352: Cross-Site Request Forgery (NVD).

The vulnerability allows unauthenticated attackers to inject custom CSS to modify a site's appearance through a forged request. This can occur when an attacker successfully tricks a site administrator into performing specific actions, such as clicking on a malicious link (NVD).

Website administrators running affected versions of the WPUpper Share Buttons plugin should update to a version newer than 3.51 if available. The vulnerability is present in the plugin's source code at the ajax.controller.php file (WordPress Plugin).