{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-1504", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-02-14T18:20:16.733Z", "datePublished": "2024-04-02T05:32:50.115Z", "dateUpdated": "2026-04-08T16:48:53.493Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:53.493Z"}, "affected": [{"vendor": "secupress", "product": "SecuPress with Simple SSL \u2013 Simple and Performant Security", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.2.5.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The SecuPress Free \u2014 WordPress Security plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.5.1. This is due to missing or incorrect nonce validation on the secupress_blackhole_ban_ip() function. This makes it possible for unauthenticated attackers to block a user's IP via a forged request granted they can trick the user into performing an action such as clicking on a link."}], "title": "SecuPress Free \u2014 WordPress Security <= 2.2.5.1 - Cross-Site Request Forgery to Banned IP Address", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4243bd6d-34f6-4d29-a333-4499a2e2d2e1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/secupress/trunk/free/modules/sensitive-data/plugins/blackhole.php#L54"}, {"url": "https://plugins.trac.wordpress.org/browser/secupress/tags/2.2.5.1/free/modules/sensitive-data/plugins/blackhole.php#L74"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "timeline": [{"time": "2024-04-01T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1504", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-02T15:34:24.520629Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T18:00:03.011Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:40:21.099Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4243bd6d-34f6-4d29-a333-4499a2e2d2e1?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/secupress/trunk/free/modules/sensitive-data/plugins/blackhole.php#L54", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/secupress/tags/2.2.5.1/free/modules/sensitive-data/plugins/blackhole.php#L74", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4243bd6d-34f6-4d29-a333-4499a2e2d2e1?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/secupress/trunk/free/modules/sensitive-data/plugins/blackhole.php#L54", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/secupress/tags/2.2.5.1/free/modules/sensitive-data/plugins/blackhole.php#L74", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:40:21.099Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1504", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-02T15:34:24.520629Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:21.162Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "SecuPress Free \u2014 WordPress Security <= 2.2.5.1 - Cross-Site Request Forgery to Banned IP Address", "credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "secupress", "product": "SecuPress with Simple SSL \u2013 Simple and Performant Security", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.2.5.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-04-01T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4243bd6d-34f6-4d29-a333-4499a2e2d2e1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/secupress/trunk/free/modules/sensitive-data/plugins/blackhole.php#L54"}, {"url": "https://plugins.trac.wordpress.org/browser/secupress/tags/2.2.5.1/free/modules/sensitive-data/plugins/blackhole.php#L74"}], "descriptions": [{"lang": "en", "value": "The SecuPress Free \u2014 WordPress Security plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.5.1. This is due to missing or incorrect nonce validation on the secupress_blackhole_ban_ip() function. This makes it possible for unauthenticated attackers to block a user's IP via a forged request granted they can trick the user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:53.493Z"}}}, "cveMetadata": {"cveId": "CVE-2024-1504", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:48:53.493Z", "dateReserved": "2024-02-14T18:20:16.733Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-04-02T05:32:50.115Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:secupress:secupress:*:*:*:*:free:wordpress:*:*", "matchCriteriaId": "D258B508-69F6-4E41-B905-240DD1EE6C39", "versionEndExcluding": "2.2.5.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The SecuPress Free \u2014 WordPress Security plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.5.1. This is due to missing or incorrect nonce validation on the secupress_blackhole_ban_ip() function. This makes it possible for unauthenticated attackers to block a user's IP via a forged request granted they can trick the user into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento SecuPress Free \u2013 WordPress Security para WordPress es vulnerable a cross-site request forgery en todas las versiones hasta la 2.2.5.1 incluida. Esto se debe a una validaci\u00f3n nonce faltante o incorrecta en la funci\u00f3n secupress_blackhole_ban_ip(). Esto hace posible que atacantes no autenticados bloqueen la IP de un usuario mediante una solicitud falsificada, siempre que puedan enga\u00f1ar al usuario para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2024-1504", "lastModified": "2026-04-08T18:20:41.753", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2024-04-02T06:15:12.963", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/secupress/tags/2.2.5.1/free/modules/sensitive-data/plugins/blackhole.php#L74"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/secupress/trunk/free/modules/sensitive-data/plugins/blackhole.php#L54"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4243bd6d-34f6-4d29-a333-4499a2e2d2e1?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/secupress/tags/2.2.5.1/free/modules/sensitive-data/plugins/blackhole.php#L74"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/secupress/trunk/free/modules/sensitive-data/plugins/blackhole.php#L54"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4243bd6d-34f6-4d29-a333-4499a2e2d2e1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{}

{}