CVE-2024-12545
📋 TL;DR
This CSRF vulnerability in the Scratch & Win WordPress plugin allows unauthenticated attackers to reset the plugin's installation by tricking administrators into clicking malicious links. All WordPress sites using this plugin up to version 2.7.1 are affected. Attackers can disrupt giveaway functionality and potentially cause service interruptions.
💻 Affected Systems
- Scratch & Win – Giveaways and Contests WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete disruption of giveaway functionality requiring plugin reconfiguration, potential loss of contest data, and temporary unavailability of promotional features.
Likely Case
Administrators tricked into clicking malicious links cause plugin reset, requiring manual reconfiguration and temporary service disruption.
If Mitigated
With proper CSRF protections and user awareness, exploitation attempts fail with no impact on plugin functionality.
🎯 Exploit Status
Exploitation requires social engineering to trick administrators but uses simple HTTP requests. No authentication required for the reset action itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.2 or later
Vendor Advisory: https://wordpress.org/plugins/scratch-win-giveaways-for-website-facebook/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Scratch & Win – Giveaways and Contests'. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 2.7.2+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDeactivate the plugin until patched to prevent exploitation
wp plugin deactivate scratch-win-giveaways-for-website-facebook
CSRF Protection Middleware
allImplement web application firewall rules to block unauthorized reset requests
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to reduce clickjacking risks
- Educate administrators about phishing risks and implement multi-factor authentication
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin → Plugins → Installed Plugins. If version is 2.7.1 or lower, you are vulnerable.Check Version:
wp plugin get scratch-win-giveaways-for-website-facebook --field=versionVerify Fix Applied:
After updating, verify plugin version shows 2.7.2 or higher. Test reset functionality requires proper nonce validation.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=reset_installation without valid nonce
- Plugin reset events in WordPress logs
Network Indicators:
- HTTP POST requests to admin-ajax.php with reset_installation parameter from unexpected sources
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" AND parameters.action="reset_installation")🔗 References
- https://plugins.trac.wordpress.org/browser/scratch-win-giveaways-for-website-facebook/tags/2.7.0/includes/swin-api.php
- https://plugins.trac.wordpress.org/changeset/3212730/
- https://wordpress.org/plugins/scratch-win-giveaways-for-website-facebook/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/7cbc157b-4f1b-4212-9e5c-dd10dd443df7?source=cve
