CVE-2024-13444: 
WordPress vulnerability analysis and mitigation

The wp-greet WordPress plugin versions up to 6.2 contain a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2024-13444. The vulnerability was discovered on January 21, 2025, and affects the plugin's settings functionality. The issue stems from missing or incorrect nonce validation on certain functions (NVD).

The vulnerability is caused by inadequate nonce validation in the plugin's functions, which allows for CSRF attacks. The issue has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability requires user interaction but can be exploited remotely without authentication (NVD).

When successfully exploited, the vulnerability allows unauthenticated attackers to update settings and inject malicious web scripts through forged requests, provided they can trick a site administrator into performing specific actions such as clicking on a malicious link (NVD).

The vulnerability has been fixed in version 6.3 of the wp-greet plugin. Users are advised to update to this latest version which includes security improvements and fixes for the CSRF issue (WordPress Plugin).