Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities found for Nested Pages by kylephillips
CVE-2024-5943 (GCVE-0-2024-5943)
Vulnerability from nvd – Published: 2024-07-04 11:34 – Updated: 2026-04-08 17:20
VLAI?
Title
Nested Pages <= 3.2.7 - Cross-Site Request Forgery to Local File Inclusion
Summary
The Nested Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.7. This is due to missing or incorrect nonce validation on the 'settingsPage' function and missing santization of the 'tab' parameter. This makes it possible for unauthenticated attackers to call local php files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
8.8 (High)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| kylephillips | Nested Pages |
Affected:
0 , ≤ 3.2.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:kylephillips:nested_pages:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "nested_pages",
"vendor": "kylephillips",
"versions": [
{
"lessThanOrEqual": "3.2.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5943",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-05T13:56:26.701726Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-12T17:58:30.564Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:25:03.110Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c2663150-61f9-49e3-9219-fbe89cc6b03c?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/wp-nested-pages/trunk/app/Config/Settings.php#L129"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/wp-nested-pages/trunk/app/Views/settings/settings.php#L20"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3111847/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Nested Pages",
"vendor": "kylephillips",
"versions": [
{
"lessThanOrEqual": "3.2.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bassem Essam"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Nested Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.7. This is due to missing or incorrect nonce validation on the \u0027settingsPage\u0027 function and missing santization of the \u0027tab\u0027 parameter. This makes it possible for unauthenticated attackers to call local php files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:20:08.458Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c2663150-61f9-49e3-9219-fbe89cc6b03c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-nested-pages/trunk/app/Config/Settings.php#L129"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-nested-pages/trunk/app/Views/settings/settings.php#L20"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3111847/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-03T23:23:26.000Z",
"value": "Disclosed"
}
],
"title": "Nested Pages \u003c= 3.2.7 - Cross-Site Request Forgery to Local File Inclusion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-5943",
"datePublished": "2024-07-04T11:34:05.170Z",
"dateReserved": "2024-06-12T23:24:30.221Z",
"dateUpdated": "2026-04-08T17:20:08.458Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-2434 (GCVE-0-2023-2434)
Vulnerability from nvd – Published: 2023-05-31 03:36 – Updated: 2026-04-08 17:05
VLAI?
Title
Nested Pages <= 3.2.3 - Missing Authorization to Authenticated (Editor+) Plugin Settings Reset
Summary
The Nested Pages plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'reset' function in versions up to, and including, 3.2.3. This makes it possible for authenticated attackers, with editor-level permissions and above, to reset plugin settings.
Severity ?
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| kylephillips | Nested Pages |
Affected:
0 , ≤ 3.2.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:19:15.244Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8c3e61e9-3610-41b5-9820-28012dc657fd?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/wp-nested-pages/tags/3.2.3/app/Form/Listeners/ResetSettings.php#L12"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=2919175%40wp-nested-pages\u0026old=2814681%40wp-nested-pages\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Nested Pages",
"vendor": "kylephillips",
"versions": [
{
"lessThanOrEqual": "3.2.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Istv\u00e1n M\u00e1rton"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Nested Pages plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the \u0027reset\u0027 function in versions up to, and including, 3.2.3. This makes it possible for authenticated attackers, with editor-level permissions and above, to reset plugin settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.8,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:05:57.368Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8c3e61e9-3610-41b5-9820-28012dc657fd?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-nested-pages/tags/3.2.3/app/Form/Listeners/ResetSettings.php#L12"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=2919175%40wp-nested-pages\u0026old=2814681%40wp-nested-pages\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2023-05-01T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-05-01T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2023-05-30T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Nested Pages \u003c= 3.2.3 - Missing Authorization to Authenticated (Editor+) Plugin Settings Reset"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-2434",
"datePublished": "2023-05-31T03:36:10.899Z",
"dateReserved": "2023-05-01T09:19:58.742Z",
"dateUpdated": "2026-04-08T17:05:57.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-5943 (GCVE-0-2024-5943)
Vulnerability from cvelistv5 – Published: 2024-07-04 11:34 – Updated: 2026-04-08 17:20
VLAI?
Title
Nested Pages <= 3.2.7 - Cross-Site Request Forgery to Local File Inclusion
Summary
The Nested Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.7. This is due to missing or incorrect nonce validation on the 'settingsPage' function and missing santization of the 'tab' parameter. This makes it possible for unauthenticated attackers to call local php files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
8.8 (High)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| kylephillips | Nested Pages |
Affected:
0 , ≤ 3.2.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:kylephillips:nested_pages:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "nested_pages",
"vendor": "kylephillips",
"versions": [
{
"lessThanOrEqual": "3.2.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5943",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-05T13:56:26.701726Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-12T17:58:30.564Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:25:03.110Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c2663150-61f9-49e3-9219-fbe89cc6b03c?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/wp-nested-pages/trunk/app/Config/Settings.php#L129"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/wp-nested-pages/trunk/app/Views/settings/settings.php#L20"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3111847/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Nested Pages",
"vendor": "kylephillips",
"versions": [
{
"lessThanOrEqual": "3.2.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bassem Essam"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Nested Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.7. This is due to missing or incorrect nonce validation on the \u0027settingsPage\u0027 function and missing santization of the \u0027tab\u0027 parameter. This makes it possible for unauthenticated attackers to call local php files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:20:08.458Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c2663150-61f9-49e3-9219-fbe89cc6b03c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-nested-pages/trunk/app/Config/Settings.php#L129"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-nested-pages/trunk/app/Views/settings/settings.php#L20"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3111847/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-03T23:23:26.000Z",
"value": "Disclosed"
}
],
"title": "Nested Pages \u003c= 3.2.7 - Cross-Site Request Forgery to Local File Inclusion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-5943",
"datePublished": "2024-07-04T11:34:05.170Z",
"dateReserved": "2024-06-12T23:24:30.221Z",
"dateUpdated": "2026-04-08T17:20:08.458Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-2434 (GCVE-0-2023-2434)
Vulnerability from cvelistv5 – Published: 2023-05-31 03:36 – Updated: 2026-04-08 17:05
VLAI?
Title
Nested Pages <= 3.2.3 - Missing Authorization to Authenticated (Editor+) Plugin Settings Reset
Summary
The Nested Pages plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'reset' function in versions up to, and including, 3.2.3. This makes it possible for authenticated attackers, with editor-level permissions and above, to reset plugin settings.
Severity ?
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| kylephillips | Nested Pages |
Affected:
0 , ≤ 3.2.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:19:15.244Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8c3e61e9-3610-41b5-9820-28012dc657fd?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/wp-nested-pages/tags/3.2.3/app/Form/Listeners/ResetSettings.php#L12"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=2919175%40wp-nested-pages\u0026old=2814681%40wp-nested-pages\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Nested Pages",
"vendor": "kylephillips",
"versions": [
{
"lessThanOrEqual": "3.2.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Istv\u00e1n M\u00e1rton"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Nested Pages plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the \u0027reset\u0027 function in versions up to, and including, 3.2.3. This makes it possible for authenticated attackers, with editor-level permissions and above, to reset plugin settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.8,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:05:57.368Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8c3e61e9-3610-41b5-9820-28012dc657fd?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-nested-pages/tags/3.2.3/app/Form/Listeners/ResetSettings.php#L12"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=2919175%40wp-nested-pages\u0026old=2814681%40wp-nested-pages\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2023-05-01T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-05-01T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2023-05-30T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Nested Pages \u003c= 3.2.3 - Missing Authorization to Authenticated (Editor+) Plugin Settings Reset"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-2434",
"datePublished": "2023-05-31T03:36:10.899Z",
"dateReserved": "2023-05-01T09:19:58.742Z",
"dateUpdated": "2026-04-08T17:05:57.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}