CVE-2024-4086 in CM Tooltip Glossary Plugin
Summary
by MITRE • 05/03/2024
The CM Tooltip Glossary – Powerful Glossary Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.11. This is due to missing or incorrect nonce validation when saving settings. This makes it possible for unauthenticated attackers to change the plugin's settings or reset them via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/03/2025
The CVE-2024-4086 vulnerability affects the CM Tooltip Glossary plugin for WordPress, a widely used tool for creating and managing glossary terms on websites. This plugin enables administrators to define custom tooltips that appear when users hover over specific terms, making it a valuable component for educational and technical websites. The vulnerability exists in all versions up to and including 4.2.11, representing a significant security risk for WordPress installations that rely on this plugin. The issue stems from insufficient validation mechanisms that should protect against unauthorized configuration changes, creating a pathway for malicious actors to manipulate plugin functionality without proper authentication.
The technical flaw manifests as a missing or incorrect nonce validation mechanism within the plugin's settings saving functionality. Nonces, or number used once, are cryptographic tokens that ensure requests originate from legitimate sources and prevent unauthorized modifications to system configurations. In this case, the plugin fails to properly validate these security tokens when processing setting updates, allowing attackers to craft malicious requests that appear to come from authenticated administrators. This vulnerability specifically targets the administrative interface where plugin settings are modified, exploiting the trust relationship between the browser and the WordPress admin panel.
The operational impact of this cross-site request forgery vulnerability is substantial for affected WordPress sites. Unauthenticated attackers can leverage this flaw to modify plugin configurations, potentially disabling critical features, altering tooltip behavior, or even resetting all plugin settings to default values. The attack requires social engineering to trick administrators into clicking malicious links, but once successful, it can lead to complete compromise of the glossary functionality. This vulnerability undermines the integrity of the plugin's administrative controls and can result in degraded user experience or information disclosure if malicious actors manipulate tooltip content to display harmful links or messages.
Security professionals should immediately update the CM Tooltip Glossary plugin to version 4.2.12 or later, which contains the necessary nonce validation fixes. Organizations should also implement additional defensive measures including monitoring for unauthorized configuration changes, restricting administrative access through multi-factor authentication, and employing web application firewalls to detect suspicious requests. The vulnerability aligns with CWE-352, which catalogs Cross-Site Request Forgery weaknesses in software applications, and maps to ATT&CK technique T1078.004 for valid accounts and T1566 for social engineering attacks. Network administrators should review access controls and implement principle of least privilege for plugin management functions to minimize potential damage from similar vulnerabilities in other WordPress components.