CVE-2024-43287: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Brevo Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue WordPress plugin, affecting versions up to and including 3.1.82. The vulnerability was publicly disclosed on August 16, 2024, and was assigned CVE-2024-43287 (NVD, Patchstack).

The vulnerability stems from missing or incorrect nonce validation in the processbulkaction() function. The CVSS v3.1 base score is rated as 8.8 (HIGH) according to NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, while Patchstack rates it as 4.3 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) (NVD, WPScan).

The vulnerability allows unauthenticated attackers to perform bulk actions on forms via a forged request, provided they can trick a site administrator into performing an action such as clicking on a link (WPScan).

The vulnerability has been fixed in version 3.1.83 of the plugin. Users are advised to update to this version or later to remove the vulnerability. The security issue is considered to have a low severity impact and is unlikely to be exploited (Patchstack).