WordPress Matomo Analytics Plugin <= 5.1.0 is vulnerable to CSRF

+1 following

Same here with all of our sites. +1

There will be an update today (we usually only release on Mondays). As for the “issue”, it’s in an AJAX method that hides a notification (specifically the one that shows whether the system report has a warning or not). If an attacker replayed that request, the end result would just be a hidden notification. There is no danger in keeping the current version of the plugin running.

• This reply was modified 4 months, 2 weeks ago by dizzyatinnocraft.

5.1.1 has been released.

@dizzyatinnocraft awesome, thanks!

Thank you very much! Cheers!

Thank you!

Wordfence WAF warns for a Cross-Site Request Forgery (CVE-2024-38766) in versions up to, and including, 5.1.1 and no known patch available.

Will a new patch be expected or should I deactivate/delete the plugin.

@kaj69 The link you posted has no details. If it is the same issue as the notification issue above (which is not a valid security concern), then it is fixed in 5.1.1.

Sorry for erronous link – the correct is https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/matomo/matomo-analytics-511-cross-site-request-forgery-to-notice-dismissal

It could be about the same issue but it warns for 5.1.1(???)

@kaj69 That is the same “issue”, it is fixed in 5.1.1. After a security bug is reported in WordPress, plugin authors are given 30 days to fix it. Once it is fixed, the plugin author has to send an email confirming it’s fixed. It’s possible they haven’t processed that email yet. Otherwise I’m not sure why it’s there.

Note: this fix was incomplete in 5.1.1, it is complete in 5.1.2. That said, and again, since all an attacker can do here is trick someone into hiding a Matomo for WordPress notification, we don’t consider it a true security concern, and do not want users to feel unsafe if they cannot update to 5.1.2.