CVE-2024-24837 in FG Drupal Plugininfo

Summary

by MITRE • 02/21/2024

Cross-Site Request Forgery (CSRF) vulnerability in Frédéric GILLES FG PrestaShop to WooCommerce, Frédéric GILLES FG Drupal to WordPress, Frédéric GILLES FG Joomla to WordPress.This issue affects FG PrestaShop to WooCommerce: from n/a through 4.44.3; FG Drupal to WordPress: from n/a through 3.67.0; FG Joomla to WordPress: from n/a through 4.15.0.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 04/15/2026

This cross-site request forgery vulnerability exists within multiple plugins developed by Frédéric GILLES that facilitate data migration between different content management systems. The flaw allows authenticated users to be tricked into executing unintended administrative actions on vulnerable websites without their knowledge or consent. The affected plugins include FG PrestaShop to WooCommerce, FG Drupal to WordPress, and FG Joomla to WordPress, each with specific version ranges where the vulnerability persists. The CSRF vulnerability specifically impacts the migration processes that these plugins handle, potentially enabling attackers to manipulate the migration workflows and compromise the integrity of the data transfer operations.

The technical implementation of this vulnerability stems from the absence of proper anti-CSRF token validation within the plugin's administrative interfaces. When users navigate to the migration plugin's configuration pages or initiate migration processes, the system fails to verify that requests originate from legitimate sources within the same session. This oversight creates a condition where an attacker can craft malicious requests that appear to come from authenticated users, exploiting the trust relationship between the web application and the user's browser. The vulnerability is particularly concerning because it operates at the administrative level where users have elevated privileges, potentially allowing for complete compromise of the migration functionality and associated data.

The operational impact of this vulnerability extends beyond simple data manipulation to encompass potential full system compromise. An attacker who successfully exploits this CSRF vulnerability could initiate unauthorized data migrations, alter migration settings, or even delete migration records, leading to data corruption or loss. The implications are especially severe for e-commerce environments where migration operations often involve sensitive customer data, product catalogs, and transaction records. Additionally, successful exploitation could lead to privilege escalation scenarios where attackers gain unauthorized administrative access to the target systems, as the migration processes typically require elevated permissions to function correctly. This vulnerability directly aligns with CWE-352, which specifically addresses Cross-Site Request Forgery flaws in web applications.

Mitigation strategies for this vulnerability should focus on implementing robust anti-CSRF token mechanisms across all plugin administrative interfaces. Organizations should immediately update to the latest available versions of the affected plugins where patches have been released, as these updates typically include proper token validation and request verification mechanisms. System administrators should also implement additional security controls such as ensuring that administrative sessions utilize secure cookies with appropriate flags, implementing proper session management practices, and conducting regular security audits of installed plugins. The remediation process should include comprehensive testing to verify that all migration operations now properly validate request sources and that no other similar vulnerabilities exist within the plugin ecosystem. Organizations should also consider implementing web application firewalls to provide additional protection layers against CSRF attacks while ensuring that security measures align with industry best practices outlined in the OWASP Top Ten and NIST cybersecurity frameworks.

Responsible

Patchstack

Reservation

01/31/2024

Disclosure

02/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00276

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!