CVE-2024-8200 in Reviews Feed Plugin
Summary
by MITRE • 08/27/2024
The Reviews Feed – Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the 'update_api_key' function. This makes it possible for unauthenticated attackers to update an API key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/12/2025
The vulnerability identified as CVE-2024-8200 affects the Reviews Feed plugin for WordPress, a popular tool that aggregates customer reviews from various sources including Google Reviews, Yelp, and TripAdvisor. This plugin allows website administrators to display customer testimonials and reviews on their WordPress sites, making it a valuable component for businesses seeking to build trust and credibility. The vulnerability exists in all versions up to and including 1.1.2, representing a significant security risk for WordPress installations that utilize this plugin.
The technical flaw stems from inadequate security validation within the plugin's update_api_key function, specifically the absence or improper implementation of nonce validation. A nonce is a cryptographic value that is valid for only a single use and is designed to prevent cross-site request forgery attacks by ensuring that requests originate from legitimate sources within the intended application. The missing nonce validation creates a pathway for malicious actors to craft forged requests that can manipulate the plugin's API key configuration without proper authorization. This vulnerability operates under the principle that an attacker can exploit the trust relationship between a legitimate user and the web application, specifically targeting the administrator who possesses elevated privileges.
The operational impact of this vulnerability is substantial as it allows unauthenticated attackers to potentially compromise the plugin's configuration and, by extension, the website's review functionality. An attacker who successfully exploits this CSRF vulnerability could modify API keys, potentially disrupting the flow of customer reviews or even redirecting review data to malicious endpoints. This could lead to service disruption, data integrity issues, and potentially provide attackers with access to sensitive review data from various platforms. The attack vector requires social engineering to trick an administrator into clicking a malicious link, but once successful, the consequences extend beyond simple credential theft to include potential service manipulation and data compromise.
The vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery, and maps to ATT&CK technique T1213.002, focusing on data from local systems. This classification indicates that the attack requires the attacker to have access to a legitimate user session and the ability to manipulate requests from that session. Mitigation strategies should include immediate plugin updates to versions that implement proper nonce validation, implementation of additional security measures such as Content Security Policy headers, and regular security auditing of WordPress plugins. Site administrators should also consider implementing role-based access controls and monitoring for unauthorized configuration changes. The recommended approach involves updating to the latest plugin version where nonce validation has been properly implemented, as this directly addresses the root cause of the vulnerability by ensuring that all requests to modify API keys are properly authenticated and validated against legitimate user sessions.