CVE-2024-4531 – The Business Card WordPress plugin through vers... (How to Fix)

Q: What is the severity of CVE-2024-4531?

CVE-2024-4531 has a CVSS score of 7.1 (HIGH). The Business Card WordPress plugin through version 1.0.0 lacks CSRF protection on certain endpoints, allowing attackers to trick authenticated users into performing unauthorized actions like editing business cards. This affects all WordPress sites running the vulnerable plugin version.

📋 TL;DR

The Business Card WordPress plugin through version 1.0.0 lacks CSRF protection on certain endpoints, allowing attackers to trick authenticated users into performing unauthorized actions like editing business cards. This affects all WordPress sites running the vulnerable plugin version.

💻 Affected Systems

Products:

Business Card WordPress Plugin

Versions: through 1.0.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the plugin activated. Attack requires authenticated user to be tricked into visiting malicious page.

📦 What is this software?

Business Card by Esterox

View all CVEs affecting Business Card →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify or delete all business card content, potentially defacing the site or removing important contact information.

🟠

Likely Case

Unauthorized modifications to business card content, potentially inserting malicious links or altering contact details.

🟢

If Mitigated

No impact if proper CSRF tokens are implemented or the plugin is updated/disabled.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

CSRF attacks are well-understood and easy to implement. Requires social engineering to trick authenticated users.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.1 or later

Vendor Advisory: https://wpscan.com/vulnerability/18c1b3bb-9998-416f-a972-c4a51643579c/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Business Card plugin. 4. Click 'Update Now' if available. 5. If no update available, deactivate and remove the plugin.

🔧 Temporary Workarounds

Disable Business Card Plugin

all

Temporarily disable the vulnerable plugin until patched version is available

wp plugin deactivate business-card

Implement CSRF Protection

all

Add CSRF tokens to plugin forms if customizing is possible

🧯 If You Can't Patch

Restrict plugin access to trusted administrators only
Implement web application firewall rules to detect CSRF patterns

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Business Card version. If version is 1.0.0 or earlier, vulnerable.

Check Version:

wp plugin get business-card --field=version

Verify Fix Applied:

Verify plugin version is 1.0.1 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Multiple business card modifications from same IP in short timeframe
Unauthorized POST requests to business-card plugin endpoints

Network Indicators:

POST requests to /wp-admin/admin-ajax.php with business-card actions without proper referrer headers

SIEM Query:

source="wordpress" AND (uri="/wp-admin/admin-ajax.php" AND action="business_card_*")

📊 Metadata

CVE ID: CVE-2024-4531

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

CWE: CWE-352

Published: May 27, 2024

Last Updated: May 1, 2025

🔗 References

https://wpscan.com/vulnerability/18c1b3bb-9998-416f-a972-c4a51643579c/ Exploit,Third Party Advisory
https://wpscan.com/vulnerability/18c1b3bb-9998-416f-a972-c4a51643579c/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-4531, you might also want to check these: