WordPress Nested Pages Plugin High Severity Vulnerability

  • July 9, 2024
  • SEO

credit: Robert Montti

High severity vulnerability affecting up to +100,000 installations allows unauthenticated attackers to execute CSRF exploit

The U.S. National Vulnerability Database (NVD) and Wordfence published a security advisory of a high severity Cross Site Request Forgery (CSRF) vulnerability affecting the Nested Pages WordPress plugin affecting up to +100,000 installations. The vulnerability received a Common Vulnerability Scoring System (CVSS) rating of 8.8 on a scale of 1 – 10, with ten representing the highest level severity.

Cross Site Request Forgery (CSRF)

The Cross Site Request Forgery (CSRF) is a type of attack that takes advantage of a security flaw in the Nested Pages plugin that allows unauthenticated attackers to call (execute) PHP files, which are the code level files of WordPress.

There is a missing or incorrect nonce validation, which is a common security feature used in WordPress plugins to secure forms and URLs. A second flaw in the plugin is a missing security feature called sanitization. Sanitization is a method of securing data that’s input or output which is also common to WordPress plugins but in this case is missing.

According to Wordfence:

“This is due to missing or incorrect nonce validation on the ‘settingsPage’ function and missing santization of the ‘tab’ parameter.”

The CSRF attack relies on getting a signed in WordPress user (like an Administrator) to click a link which in turn allows the attacker to complete the attack. This vulnerability is rated 8.8 which makes it a high severity threat. To put that into perspective, a score of 8.9 is a critical level threat which is an even higher level. So at 8.8 it is just short of a critical level threat.

This vulnerability affects all versions of the Nested Pages plugin up to and including version 3.2.7. The developers of the plugin released a security fix in version 3.2.8 and responsibly published the details of the security update in their changelog.

The official changelog documents the security fix:

“Security update addressing CSRF issue in plugin settings”

Read the advisory at Wordfence:

Nested Pages <= 3.2.7 – Cross-Site Request Forgery to Local File Inclusion

Read the advisory at the NVD:

CVE-2024-5943 Detail

If you are having any WordPress issues, please contact the experts at SPYDER web marketing at 833 377 9337 for help.

Jim is a Senior Digital Marketing Strategist Spyder Digital and has over 19 years of experience in the field. His insight and ability to drive new business for his clients from the Internet is unparalleled.


About SPYDER, web marketing agency

We are a digital marketing company with a focus on helping our customers achieve great results from various Internet marketing services across several key areas. 833 377 9337

Request a free quote

We offer professional web marketing services including content strategies,  SEO,  PPC, local marketing, Email campaigns, Social Media Strategies and digital consulting. Let's talk.


More from our blog

See all posts