CVE-2024-22136: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in DroitThemes Droit Elementor Addons – Widgets, Blocks, Templates Library For Elementor Builder, affecting versions up to and including 3.1.5. The vulnerability was disclosed on January 8, 2024, and was assigned CVE-2024-22136 (Patchstack).

The vulnerability stems from missing or incorrect nonce validation in the WordPress plugin. The severity of this vulnerability has been assessed with different CVSS scores: NIST assigned a HIGH severity score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), while Patchstack rated it as MEDIUM with a score of 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N). The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) (NVD).

This vulnerability makes it possible for unauthenticated attackers to perform unauthorized actions by tricking site administrators into performing actions such as clicking on malicious links. The impact primarily affects the integrity of the system through unauthorized state changes (WPScan).

Currently, there is no known official fix available for this vulnerability. Users of the affected versions (up to 3.1.5) should consider implementing general CSRF protection measures and exercise caution when clicking on links while authenticated as an administrator (WPScan).