CVE-2024-4530 – The Business Card WordPress plugin through vers... (How to Fix)

Q: What is the severity of CVE-2024-4530?

CVE-2024-4530 has a CVSS score of 6.3 (MEDIUM). The Business Card WordPress plugin through version 1.0.0 lacks Cross-Site Request Forgery (CSRF) protection on certain endpoints, allowing attackers to trick authenticated users into performing unauthorized actions like editing card categories. This affects WordPress sites running the vulnerable plugin version. Attackers can exploit this when users with appropriate privileges visit malicious pages while logged in.

📋 TL;DR

The Business Card WordPress plugin through version 1.0.0 lacks Cross-Site Request Forgery (CSRF) protection on certain endpoints, allowing attackers to trick authenticated users into performing unauthorized actions like editing card categories. This affects WordPress sites running the vulnerable plugin version. Attackers can exploit this when users with appropriate privileges visit malicious pages while logged in.

💻 Affected Systems

Products:

Business Card WordPress Plugin

Versions: through 1.0.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the plugin enabled. Users must have appropriate privileges (like editor or admin) to be targeted.

📦 What is this software?

Business Card by Esterox

View all CVEs affecting Business Card →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could manipulate card category data, potentially disrupting business operations or defacing the site's business card functionality if administrative users are targeted.

🟠

Likely Case

Attackers modify card categories without authorization, causing minor data integrity issues or confusion for legitimate users.

🟢

If Mitigated

With proper CSRF tokens implemented, no unauthorized actions can be performed via forged requests.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires tricking a logged-in user with appropriate privileges to visit a malicious page. No authentication bypass is needed beyond the user's existing session.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.1 or later

Vendor Advisory: https://wpscan.com/vulnerability/952f6b5c-7728-4c87-8826-6b493f51a979/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Business Card' plugin. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the Business Card plugin until patched.

wp plugin deactivate business-card

Implement WAF Rules

all

Add web application firewall rules to block suspicious requests to plugin endpoints.

🧯 If You Can't Patch

Restrict plugin access to trusted users only and implement strict access controls.
Monitor for unauthorized changes to card categories and review logs regularly.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for Business Card plugin version 1.0.0 or earlier.

Check Version:

wp plugin get business-card --field=version

Verify Fix Applied:

Verify plugin version is 1.0.1 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /wp-admin/admin.php?page=business-card endpoints from unexpected sources.
Multiple failed or unexpected card category modification attempts.

Network Indicators:

HTTP requests to plugin endpoints without proper referrer headers or CSRF tokens.

SIEM Query:

source="wordpress.log" AND (uri="/wp-admin/admin.php?page=business-card" OR plugin="business-card") AND method="POST"

📊 Metadata

CVE ID: CVE-2024-4530

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CWE: CWE-352

Published: May 27, 2024

Last Updated: May 1, 2025

🔗 References

https://wpscan.com/vulnerability/952f6b5c-7728-4c87-8826-6b493f51a979/ Exploit,Third Party Advisory
https://wpscan.com/vulnerability/952f6b5c-7728-4c87-8826-6b493f51a979/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-4530, you might also want to check these: