CVE-2024-22290: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the Custom Dashboard Widgets WordPress plugin, affecting versions up to 1.3.1. The vulnerability was reported on January 4, 2024, and publicly disclosed on January 16, 2024. This security issue allows for Cross-Site Scripting (XSS) attacks through CSRF (Patchstack).

The vulnerability has been assigned CVE-2024-22290 and received a CVSS v3.1 base score of 8.8 (HIGH) from NIST with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Patchstack assigned a slightly lower CVSS score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) (NVD).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. The attack requires user interaction but can potentially lead to significant security compromises through the combination of CSRF and XSS attacks (Patchstack).

While no official fix is available, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks. Website administrators using the affected plugin versions are advised to implement the virtual patch until an official fix becomes available (Patchstack).