CVE-2024-13510

6.1 MEDIUM

CSRF

📋 TL;DR

The ShopSite WordPress plugin has a Cross-Site Request Forgery vulnerability that allows attackers to trick administrators into performing unintended actions. When exploited, attackers can update plugin settings and inject malicious scripts without authentication. All WordPress sites using ShopSite plugin versions up to 1.5.10 are affected.

💻 Affected Systems

Products:

• ShopSite WordPress Plugin

Versions: All versions up to and including 1.5.10

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with ShopSite plugin active. Vulnerability exists regardless of other security configurations.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

1. Review the CVE details at NVD
2. Check vendor security advisories for your specific version
3. Test if the vulnerability is exploitable in your environment
4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Site takeover through admin account compromise, data theft, malware distribution to visitors, and complete website defacement.

🟠

Likely Case

Malicious script injection leading to SEO spam, redirects to malicious sites, or credential harvesting from visitors.

🟢

If Mitigated

No impact if proper CSRF protections are implemented or plugin is updated/disabled.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires social engineering to trick an administrator into clicking a malicious link while authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.11 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3226553%40shopsite-plugin%2Ftrunk&old=3139879%40shopsite-plugin%2Ftrunk&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find ShopSite plugin and click 'Update Now'. 4. Verify version is 1.5.11 or higher.

🔧 Temporary Workarounds

Disable ShopSite Plugin

all

Temporarily disable the vulnerable plugin until patching is possible.

Copy

wp plugin deactivate shopsite-plugin

Implement CSRF Protection Headers

linux

Add security headers to WordPress to help mitigate CSRF attacks.

Copy

Add to .htaccess: Header set X-Frame-Options "SAMEORIGIN"
Add to .htaccess: Header set Content-Security-Policy "frame-ancestors 'self'"

🧯 If You Can't Patch

• Restrict admin access to trusted networks only using firewall rules
• Implement mandatory multi-factor authentication for all WordPress administrator accounts

🔍 How to Verify

Check if Vulnerable:

Copy

Check WordPress admin panel > Plugins > Installed Plugins for ShopSite version number

Check Version:

Copy

wp plugin list --name=shopsite-plugin --field=version

Verify Fix Applied:

Copy

Verify ShopSite plugin version is 1.5.11 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

• Unusual POST requests to /wp-admin/admin-ajax.php with shopsite parameters
• Multiple failed CSRF token validations in WordPress debug logs

Network Indicators:

• Unexpected outbound connections from WordPress server after admin visits suspicious links

SIEM Query:

Copy

source="wordpress.log" AND ("shopsite" AND "admin-ajax.php") AND status=200

📊 Metadata

CVE ID: CVE-2024-13510

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-352

EPSS Score: 0.04% exploit probability (12.5th percentile)

Published: February 4, 2025

Last Updated: February 4, 2025

🔗 References

• https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3226553%40shopsite-plugin%2Ftrunk&old=3139879%40shopsite-plugin%2Ftrunk&sfp_email=&sfph_mail=
• https://www.wordfence.com/threat-intel/vulnerabilities/id/c2fde092-0a12-42ab-abbb-7f5ff5de9af2?source=cve

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13510, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)

CVE-2018-18934 9.8

This vulnerability in PopojiCMS v2.0.1 allows remote attackers to upload and execute arbitrary PHP c...

Same vulnerability type (CWE-352)

CVE-2020-10181 9.8

This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in Sumavision Enhanced Multimed...

Same vulnerability type (CWE-352)