Vulnerabilities > CVE-2024-0590 - Unspecified vulnerability in Microsoft Clarity 0.3

CVSS 6.1 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

LOW

Integrity impact

LOW

Availability impact

NONE

network

low complexity

microsoft

NVD

Published: 2024-02-29

Updated: 2025-03-04

Summary

The Microsoft Clarity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the edit_clarity_project_id() function. This makes it possible for unauthenticated attackers to change the project id and add malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Vulnerable Configurations

Part	Description	Count
Application	Microsoft Microsoft Clarity 0.3	1

References

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3036293%40microsoft-clarity&new=3036293%40microsoft-clarity&sfp_email=&sfph_mail=
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3036293%40microsoft-clarity&new=3036293%40microsoft-clarity&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/c2f4461b-1373-4d09-8430-14d1961e1644?source=cve
https://www.wordfence.com/threat-intel/vulnerabilities/id/c2f4461b-1373-4d09-8430-14d1961e1644?source=cve