Skip to main content

Orbit Fox CVE-2024-1162

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2024-02-02 security@wordfence.com
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch released
Apr 08, 2026 - 18:22 nvd
Patch available
CVE Published
Feb 02, 2024 - 06:15 nvd
MEDIUM 4.3

DescriptionCVE.org

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.10.29. This is due to missing or incorrect nonce validation on the register_reference() function. This makes it possible for unauthenticated attackers to update the connected API keys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

AnalysisAI

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.10.29. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.10.29. This is due to missing or incorrect nonce validation on the register_reference() function. This makes it possible for unauthenticated attackers to update the connected API keys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Affected products include: Themeisle Orbit Fox.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

CVE-2021-24158 MEDIUM POC
6.5 Apr 05

Orbit Fox by ThemeIsle has a feature to add a registration form to both the Elementor and Beaver Builder page builders f

CVE-2021-24157 MEDIUM POC
5.4 Apr 05

Orbit Fox by ThemeIsle has a feature to add custom scripts to the header and footer of a page or post. Rated medium seve

CVE-2024-1499 MEDIUM
6.4 Mar 13

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Pricing Table widge

CVE-2024-2126 MEDIUM
6.4 Mar 13

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Registration Form w

CVE-2024-1497 MEDIUM
6.4 Mar 13

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form widget addr2_w

CVE-2024-2484 MEDIUM
6.4 Jun 22

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Services and Post T

CVE-2024-1323 MEDIUM
6.4 Feb 27

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Post Type

CVE-2024-0508 MEDIUM
6.4 Feb 05

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Pricing Ta

CVE-2024-7778 MEDIUM
5.4 Aug 22

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all

CVE-2024-1047 MEDIUM
5.3 Feb 02

Multiple plugins and/or themes for WordPress with the ThemeIsle SDK are vulnerable to unauthorized modification of data

CVE-2026-11358 MEDIUM
4.4 Jun 18

Stored Cross-Site Scripting in the Orbit Fox WordPress plugin (ThemeIsle) allows authenticated administrators to inject

CVE-2024-13183 MEDIUM
6.4 Jan 10

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title_tag’ paramet

Share

CVE-2024-1162 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy