CVE-2024-3947 – The WP To Do WordPress plugin has a Cross-Site ... (How to Fix)

Q: What is the severity of CVE-2024-3947?

CVE-2024-3947 has a CVSS score of 4.3 (MEDIUM). The WP To Do WordPress plugin has a Cross-Site Request Forgery vulnerability that allows attackers to modify plugin settings without authentication. Attackers can trick administrators into clicking malicious links to exploit this. All WordPress sites using WP To Do plugin versions up to 1.3.0 are affected.

📋 TL;DR

The WP To Do WordPress plugin has a Cross-Site Request Forgery vulnerability that allows attackers to modify plugin settings without authentication. Attackers can trick administrators into clicking malicious links to exploit this. All WordPress sites using WP To Do plugin versions up to 1.3.0 are affected.

💻 Affected Systems

Products:

WP To Do WordPress Plugin

Versions: All versions up to and including 1.3.0

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with WP To Do plugin active. Attack requires administrator interaction.

📦 What is this software?

Wp To Do by Delower

View all CVEs affecting Wp To Do →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify plugin settings to disrupt functionality, inject malicious content, or create backdoors for further attacks.

🟠

Likely Case

Attackers change plugin settings to disable features, modify behavior, or prepare for follow-up attacks.

🟢

If Mitigated

With proper CSRF protections, no impact as requests would be rejected without valid nonces.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires social engineering to trick administrators into clicking malicious links. No authentication needed for the CSRF attack itself.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.1 or later

Vendor Advisory: https://plugins.trac.wordpress.org/browser/wp-todo/trunk/inc/Base/Model.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find WP To Do plugin. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Disable WP To Do Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate wp-todo

Add CSRF Protection Manually

all

Add nonce validation to wptodo_settings() function in plugin code

🧯 If You Can't Patch

Restrict administrator access to trusted networks only
Implement web application firewall with CSRF protection rules

🔍 How to Verify

Check if Vulnerable:

Check WP To Do plugin version in WordPress admin panel under Plugins → Installed Plugins

Check Version:

wp plugin get wp-todo --field=version

Verify Fix Applied:

Verify plugin version is 1.3.1 or higher after update

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to wp-admin/admin-post.php with wptodo_settings action
Multiple failed CSRF validation attempts

Network Indicators:

HTTP requests with wptodo_settings parameter from unexpected sources
Cross-origin requests to admin endpoints

SIEM Query:

source="wordpress" action="wptodo_settings" AND NOT referer CONTAINS "same-domain"

📊 Metadata

CVE ID: CVE-2024-3947

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-352

Published: May 30, 2024

Last Updated: February 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3947, you might also want to check these: