CVE-2024-54331: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the WordPress I Plant A Tree plugin, affecting versions up to and including 1.7.3. The vulnerability was reported on October 29, 2024, by researcher SOPROBRO and was assigned CVE-2024-54331. The issue was publicly disclosed on December 11, 2024, and has been fixed in version 1.7.4 (Patchstack).

The vulnerability stems from missing or incorrect nonce validation in the ipat_plugin_options() function. This security flaw has been assigned a CVSS v3.1 score of 7.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The issue is classified under CWE-352 (Cross-Site Request Forgery) (WPScan).

The vulnerability allows unauthenticated attackers to update plugin settings and inject malicious web scripts through forged requests, provided they can trick a site administrator into performing specific actions such as clicking on a malicious link (WPScan).

The recommended mitigation is to update the I Plant A Tree plugin to version 1.7.4 or later, which contains the fix for this vulnerability. Users of Patchstack can enable auto-update functionality for vulnerable plugins to ensure timely protection (Patchstack).