CVE-2024-43325: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the Dark Mode for WP Dashboard WordPress plugin, affecting versions up to and including 1.2.3. The vulnerability was reported on July 29, 2024, and publicly disclosed on August 16, 2024. This security issue impacts the WordPress plugin's user profile mode changing functionality (Patchstack).

The vulnerability stems from missing or incorrect nonce validation in the darkmodedashboardchangeuserprofilemode() function. The severity of this vulnerability has been assessed with different CVSS v3.1 scores: NIST rates it as HIGH with a base score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), while Patchstack rates it as MEDIUM with a score of 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N). The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) (NVD, WPScan).

The vulnerability allows unauthenticated attackers to change a user's color mode preferences through forged requests, provided they can trick a site administrator into performing specific actions such as clicking on a malicious link (WPScan).

The vulnerability has been fixed in version 1.2.4 of the Dark Mode for WP Dashboard plugin. Users are advised to update to this version or later to remove the vulnerability (Patchstack).