CVE-2024-52401: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the Hacklog DownloadManager WordPress plugin, identified as CVE-2024-52401. The vulnerability affects versions up to and including 2.1.4, and was discovered by Joshua Chan on October 24, 2024, with public disclosure on November 13, 2024. The vulnerability exists due to missing or incorrect nonce validation on a function in the plugin (WPScan, Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 9.6 (Critical) by Patchstack with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. The issue is classified under CWE-352 (Cross-Site Request Forgery) and requires no authentication to exploit, though it does require user interaction. The vulnerability stems from improper implementation of CSRF protections in the plugin's functionality (Patchstack).

The vulnerability allows unauthenticated attackers to upload arbitrary files, including web shells, to the web server through forged requests. This is possible if they can trick a site administrator into performing specific actions, such as clicking on a malicious link (WPScan).

Currently, there is no official fix available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators using the affected plugin versions should consider implementing the Patchstack protection or removing the plugin until a patch is released (Patchstack).