CVE-2024-24875 in Link Library Plugininfo

Summary

by MITRE • 02/12/2024

Cross-Site Request Forgery (CSRF) vulnerability in Yannick Lefebvre Link Library.This issue affects Link Library: from n/a through 7.5.13.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 04/20/2025

The CVE-2024-24875 vulnerability represents a critical cross-site request forgery flaw within the Yannick Lefebvre Link Library plugin, a widely used WordPress component for managing and organizing links. This vulnerability exists in versions ranging from the initial release through 7.5.13, indicating a prolonged exposure window that could have allowed attackers to exploit the weakness for extended periods. The affected plugin serves as a repository for link management functionality, making it a potentially valuable target for malicious actors seeking to compromise WordPress sites that rely on this particular library for their link organization needs.

The technical implementation of this CSRF vulnerability stems from the absence of proper anti-forgery token validation within the plugin's administrative interfaces. When authenticated users navigate to specific administrative endpoints within the Link Library plugin, the system fails to verify that requests originate from legitimate sources within the same session. This omission creates an exploitable condition where an attacker can craft malicious requests that appear to come from authenticated users, leveraging the trust relationship between the user's browser and the vulnerable plugin. The flaw operates by manipulating the browser's behavior to submit requests without the user's explicit consent or knowledge, effectively bypassing the normal authentication and authorization mechanisms that should protect administrative functions.

The operational impact of this vulnerability extends beyond simple data manipulation, as it provides attackers with the capability to perform administrative actions within compromised WordPress installations. An attacker could potentially modify link configurations, add malicious links to the library, or even delete existing entries that might contain critical navigation information for the website. This represents a significant threat to website integrity and user experience, particularly for sites that rely heavily on organized link structures for navigation and content delivery. The vulnerability is particularly dangerous in environments where multiple administrators have access to the plugin, as it could enable privilege escalation or unauthorized modifications that might go unnoticed for extended periods.

Organizations affected by this vulnerability should immediately implement mitigations including updating to the latest available version of the Link Library plugin, which likely contains the necessary patches to address the CSRF token validation issue. Additionally, implementing additional security measures such as content security policies, regular security audits of installed plugins, and monitoring for unauthorized administrative changes can help reduce the risk of exploitation. The vulnerability aligns with CWE-352, which specifically addresses cross-site request forgery conditions in software systems, and represents a clear violation of the principle of least privilege in web application security. Security practitioners should also consider implementing web application firewalls that can detect and block suspicious request patterns that might indicate CSRF attack attempts, while maintaining compliance with security frameworks such as NIST SP 800-53 that emphasize the importance of input validation and session management controls.

Responsible

Patchstack

Reservation

02/01/2024

Disclosure

02/12/2024

Moderation

accepted

CPE

ready

EPSS

0.00214

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!