CVE-2024-1976: 
WordPress vulnerability analysis and mitigation

The Marketing Optimizer plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability affecting all versions up to and including 20200925. The vulnerability was discovered in February 2024 and is tracked as CVE-2024-1976. The issue affects the admin/main-settings-page.php file in the WordPress Marketing Optimizer plugin (NVD).

The vulnerability stems from missing or incorrect nonce validation in the admin/main-settings-page.php file. The CVSS v3.1 score is 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, indicating that the vulnerability can be exploited remotely with low attack complexity and requires user interaction (Wordfence).

If successfully exploited, the vulnerability allows unauthenticated attackers to update the plugin's settings and inject malicious JavaScript through forged requests. This can occur when an attacker tricks a site administrator into performing specific actions, such as clicking on a malicious link (NVD).

Users should update to a version newer than 20200925 if available. As this is a CSRF vulnerability, site administrators should be cautious about clicking on unknown links or performing actions when logged into their WordPress dashboard (Wordfence).