CVE-2024-49250: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the WordPress Table of Contents Plus plugin, affecting versions up to 2408. The vulnerability was identified on October 14, 2024, and was assigned CVE-2024-49250. The plugin, developed by Michael Tran, is susceptible to unauthorized actions through cross-site request forgery attacks (Patchstack, WPScan).

The vulnerability stems from missing or incorrect nonce validation on certain functions within the plugin. It has received varying CVSS scores, with the NVD assigning a base score of 8.8 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, while Patchstack assessed it at 4.3 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) (NVD).

The vulnerability allows unauthenticated attackers to perform unauthorized actions by tricking site administrators into performing specific actions, such as clicking on malicious links. This could potentially lead to unauthorized modifications or actions being executed with administrator privileges (WPScan).

The vulnerability has been fixed in version 2411 of the Table of Contents Plus plugin. Users are advised to update to this version or later to remediate the security issue (WPScan).