CVE-2024-9592: 
WordPress vulnerability analysis and mitigation

The Easy PayPal Gift Certificate plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in versions up to and including 1.2.3. The vulnerability was disclosed on October 11, 2024, and has been assigned CVE-2024-9592. This security issue affects the WordPress plugin's settings functionality (NVD).

The vulnerability stems from missing or incorrect nonce validation in the 'wpppgcpluginoptions' function. The issue has been assigned a CVSS v3.1 base score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-352: Cross-Site Request Forgery (CSRF) (NVD, Wordfence).

Successful exploitation of this vulnerability could allow unauthenticated attackers to update the plugin's settings and inject malicious JavaScript via a forged request. The attack requires user interaction, specifically tricking a site administrator into performing an action such as clicking on a malicious link (NVD).

Website administrators running the affected versions of the Easy PayPal Gift Certificate plugin (versions up to and including 1.2.3) should update to a patched version when available. In the meantime, administrators should exercise caution when clicking on links while logged into their WordPress dashboard (NVD).