cleantalk
Vulnerabilities and Security Researches

SecuPress Free — WordPress Security, CVE-2024-1504

CVE, Research URL

CVE-2024-1504

Home page URL

Security reports for SecuPress Free — WordPress Security

Application

SecuPress Free — WordPress Security

Published on
Apr 02, 2024
Research Description
The SecuPress Free — WordPress Security plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.5.1. This is due to missing or incorrect nonce validation on the secupress_blackhole_ban_ip() function. This makes it possible for unauthenticated attackers to block a user's IP via a forged request granted they can trick the user into performing an action such as clicking on a link.
Affected versions
Min -, max 2.2.5.2.
Status
vulnerable
Previous vulnerability researches
SecuPress Free — WordPress Security (CVE-2025-30907) , Apr 03, 2025
SecuPress Free — WordPress Security (CVE-2024-1504) , Jun 07, 2024
SecuPress Free — WordPress Security (bec7d275dc66a21d2b0257e900e50f83e62446c1) , Jun 07, 2024
SecuPress Free — WordPress Security (CVE-2025-3452) , Apr 30, 2025
SecuPress Free — WordPress Security (CVE-2024-43228) , Mar 15, 2025
New vulnerability
Admin and Site Enhancements (ASE) (CVE-2024-13688) , Apr 30, 2025
WordPress Simple Shopping Cart (CVE-2025-3529) , Apr 30, 2025
SecuPress Free — WordPress Security (CVE-2025-3452) , Apr 30, 2025
Gutenverse – Gutenberg Blocks – Page Builder for Site Editor (CVE-2025-2893) , Apr 30, 2025
My Tickets (CVE-2025-3761) , Apr 29, 2025