Threat Entry Updated 2025-01-09

CVE-2024-12206 - Pearl Plugin

The WordPress Header Builder Plugin – Pearl plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.8. This is due to missing or incorrect nonce validation on the stm_header_builder page. This makes it possible for unauthenticated attackers to delete arbitrary headers via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Pearl

CVE-2024-12206

MEDIUM CVSS 4.3 2025-01-09

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-5468 - Pearl Plugin

The WordPress Header Builder Plugin – Pearl plugin for WordPress is vulnerable to unauthorized site option deletion due to a missing validation and capability checks on the stm_hb_delete() function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to delete arbitrary options that can be used to perform a denial of service attack on a site.

PLUGIN Pearl

CVE-2024-5468

MEDIUM CVSS 6.5 2024-06-12

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-4000 - Pearl Plugin

The WordPress Header Builder Plugin – Pearl plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'stm_hb' shortcode in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Pearl

CVE-2024-4000

MEDIUM CVSS 6.4 2024-05-02

Risk Score

Open Full Technical Breakdown