Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-56204

CVE-2024-56204: Sinking Dropdowns CSRF Vulnerability

CVE-2024-56204 is a Cross-Site Request Forgery vulnerability in the Sinking Dropdowns plugin that enables privilege escalation attacks. This article covers the technical details, affected versions up to 1.25, and mitigation.

Published:

CVE-2024-56204 Overview

CVE-2024-56204 is a Cross-Site Request Forgery (CSRF) vulnerability in the yonisink Sinking Dropdowns WordPress plugin. The flaw affects all versions up to and including 1.25, and enables Privilege Escalation when a victim with elevated privileges interacts with attacker-controlled content. The weakness is categorized under [CWE-352] and stems from missing or insufficient anti-CSRF protections on state-changing requests handled by the plugin.

Critical Impact

An unauthenticated attacker can coerce an authenticated administrator into submitting a forged request that escalates privileges, fully compromising the WordPress site's confidentiality, integrity, and availability.

Affected Products

  • yonisink Sinking Dropdowns WordPress plugin
  • Versions from n/a through <= 1.25
  • WordPress sites with the vulnerable sinking-dropdowns plugin installed and active

Discovery Timeline

  • 2024-12-31 - CVE-2024-56204 published to NVD
  • 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2024-56204

Vulnerability Analysis

The Sinking Dropdowns plugin processes privileged actions without validating that the request originated from a legitimate, intended user session. Because there is no nonce verification or equivalent CSRF token check, any state-changing endpoint exposed by the plugin can be triggered through a forged HTTP request. When a logged-in administrator visits an attacker-controlled page, the browser automatically sends authenticated cookies along with the malicious request.

The outcome is Privilege Escalation. An attacker can use the forged request to alter plugin configuration or related WordPress state in ways that grant elevated capabilities to attacker-controlled accounts. This converts a passive browsing action by an administrator into full site compromise.

Root Cause

The root cause is the absence of CSRF mitigations on sensitive plugin actions. WordPress provides wp_nonce_field() and check_admin_referer() / wp_verify_nonce() for this purpose. The vulnerable handlers in sinking-dropdowns do not validate a nonce or referer before processing privileged operations, so the server cannot distinguish forged cross-origin requests from legitimate administrator actions.

Attack Vector

Exploitation occurs over the network and requires user interaction from an authenticated victim, typically an administrator. The attacker hosts a page containing an auto-submitting form or image tag that issues a request to the target WordPress site. When the victim loads the page while logged in, the browser delivers the request with valid session cookies, and the vulnerable handler executes the privileged action. No prior authentication or privilege is required on the attacker side.

Technical details are available in the Patchstack WordPress Vulnerability Analysis.

Detection Methods for CVE-2024-56204

Indicators of Compromise

  • Unexpected creation or modification of WordPress accounts with administrator or elevated roles.
  • HTTP POST requests to sinking-dropdowns plugin endpoints with Referer headers pointing to unrelated external domains.
  • Changes to plugin settings or user capabilities that do not correspond to legitimate administrator activity in audit logs.

Detection Strategies

  • Review web server access logs for state-changing requests to the plugin's admin handlers that lack a valid _wpnonce parameter.
  • Correlate WordPress user role changes with administrator browsing sessions to identify suspicious cross-origin activity.
  • Deploy a Web Application Firewall (WAF) rule that flags requests to sinking-dropdowns endpoints without expected nonce tokens.

Monitoring Recommendations

  • Enable a WordPress audit logging plugin to record user role changes, plugin setting modifications, and account creations.
  • Alert on any new administrator account creation outside of approved provisioning workflows.
  • Monitor outbound Referer patterns to administrator panels and investigate requests originating from untrusted domains.

How to Mitigate CVE-2024-56204

Immediate Actions Required

  • Deactivate and remove the Sinking Dropdowns plugin until a patched version is confirmed available and installed.
  • Audit all WordPress accounts for unauthorized privilege changes and reset credentials for administrator accounts.
  • Require administrators to log out of WordPress sessions before browsing untrusted sites, and enforce short session lifetimes.

Patch Information

No fixed version is identified in the available advisory data. The vulnerability affects Sinking Dropdowns through version 1.25. Site operators should consult the Patchstack advisory for updated patch availability and apply any vendor release that introduces nonce verification on privileged actions.

Workarounds

  • Remove the plugin entirely if a patched version is not available.
  • Deploy a WAF rule that blocks requests to sinking-dropdowns admin endpoints when a valid _wpnonce parameter or same-origin Referer is absent.
  • Restrict access to /wp-admin/ by source IP address to reduce exposure to forged cross-origin requests.
  • Configure SameSite=Strict or SameSite=Lax attributes on WordPress authentication cookies to limit cross-site request delivery.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne