CVE-2024-5028: 
WordPress vulnerability analysis and mitigation

The CM WordPress Search And Replace Plugin WordPress plugin before version 1.3.9 contains a Cross-Site Request Forgery (CSRF) vulnerability. The vulnerability was discovered on June 22, 2024, and was assigned CVE-2024-5028. The plugin lacks CSRF checks in certain areas, affecting the cm-on-demand-search-and-replace plugin (WPScan).

The vulnerability stems from missing CSRF protection mechanisms in specific plugin functionalities. The CVSS score is rated at 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) and falls into the OWASP Top 10 category A2: Broken Authentication and Session Management (WPScan).

When exploited, this vulnerability could allow attackers to make logged-in users perform unwanted actions through CSRF attacks. This could potentially lead to unauthorized changes or actions being executed with the victim's privileges (WPScan).

The vulnerability has been fixed in version 1.3.9 of the CM WordPress Search And Replace Plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).