Login Sign Up

CVE-2024-0858

8.8 HIGH
Authentication Bypass CSRF

📋 TL;DR

The Innovs HR WordPress plugin through version 1.0.3.4 lacks Cross-Site Request Forgery (CSRF) protection on certain endpoints, allowing attackers to trick authenticated users into performing unauthorized actions. This affects WordPress sites using the vulnerable plugin version, potentially enabling attackers to add themselves as employees or perform other administrative actions without consent.

💻 Affected Systems

Products:
  • Innovs HR WordPress Plugin
Versions: through 1.0.3.4
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with the vulnerable plugin activated and at least one authenticated user session.

📦 What is this software?

Innovs Hr by Theinnovs

View all CVEs affecting Innovs Hr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could gain administrative access to the HR system, manipulate employee data, escalate privileges, or perform other unauthorized administrative actions through compromised user sessions.

🟠

Likely Case

Attackers add themselves as employees to gain access to sensitive HR data or system functionality, potentially leading to data theft or further system compromise.

🟢

If Mitigated

With proper CSRF protection and user awareness, the attack would fail as requests would require valid tokens and user interaction confirmation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires social engineering to trick authenticated users into visiting malicious pages while logged into the WordPress admin.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.3.5 or later

Vendor Advisory: https://wpscan.com/vulnerability/f6627a35-d158-495e-9d56-69405cfca221/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Innovs HR plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete plugin, then install latest version from WordPress repository.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the Innovs HR plugin until patched version is available

wp plugin deactivate innovs-hr

CSRF Protection via WAF

all

Configure Web Application Firewall to block CSRF attempts

🧯 If You Can't Patch

  • Implement strict access controls and monitor for unauthorized employee additions
  • Educate users about CSRF risks and safe browsing practices while logged into admin

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Installed Plugins for Innovs HR version 1.0.3.4 or earlier

Check Version:

wp plugin get innovs-hr --field=version

Verify Fix Applied:

Verify plugin version is 1.0.3.5 or later in WordPress admin plugins page

📡 Detection & Monitoring

Log Indicators:

  • Multiple employee additions from same IP in short timeframe
  • Unauthorized user agent patterns in WordPress logs

Network Indicators:

  • POST requests to innovs-hr endpoints without referrer headers or CSRF tokens

SIEM Query:

source="wordpress.log" AND "innovs-hr" AND ("employee_add" OR "admin-ajax.php")

📊 Metadata

CVE ID: CVE-2024-0858
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-352
Published: March 18, 2024
Last Updated: May 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-0858, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)