What is the severity of CVE-2024-11640?

CVE-2024-11640 is classified as a moderate severity vulnerability due to its potential for Cross-Site Request Forgery attacks.

What types of attacks can CVE-2024-11640 lead to?

CVE-2024-11640 can lead to Cross-Site Request Forgery attacks, allowing unauthorized actions to be performed on behalf of authenticated users.

Who is affected by CVE-2024-11640?

Any user of the VikRentCar Car Rental Management System plugin for WordPress using version 1.4.2 or below is affected by CVE-2024-11640.

Is authentication required to exploit CVE-2024-11640?

No, CVE-2024-11640 can be exploited by unauthenticated attackers due to missing nonce validation.

Vulnerability/
CVE-2024-11640

high

8.8

CWE

352

8/3/2025

CVE-2024-11640: VikRentCar Car Rental Management System <= 1.4.2 - Cross-Site Request Forgery to Authenticated (Subscriber+) Arbitrary File Upload

Q: How do I fix CVE-2024-11640?

To fix CVE-2024-11640, update the VikRentCar Car Rental Management System plugin to version 1.4.3 or newer.

First published: Sat Mar 08 2025(Updated: )

The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing or incorrect nonce validation on the 'save' function. This makes it possible for unauthenticated attackers to change plugin access privileges via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows attackers with subscriber-level privileges and above to upload arbitrary files on the affected site's server which may make remote code execution possible.

Credit: security@wordfence.com

Affected Software	Affected Version	How to fix
VikRentCar Car Rental Management System	<=1.4.2

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-11640?
CVE-2024-11640 is classified as a moderate severity vulnerability due to its potential for Cross-Site Request Forgery attacks.
How do I fix CVE-2024-11640?
To fix CVE-2024-11640, update the VikRentCar Car Rental Management System plugin to version 1.4.3 or newer.
What types of attacks can CVE-2024-11640 lead to?
CVE-2024-11640 can lead to Cross-Site Request Forgery attacks, allowing unauthorized actions to be performed on behalf of authenticated users.
Who is affected by CVE-2024-11640?
Any user of the VikRentCar Car Rental Management System plugin for WordPress using version 1.4.2 or below is affected by CVE-2024-11640.
Is authentication required to exploit CVE-2024-11640?
No, CVE-2024-11640 can be exploited by unauthenticated attackers due to missing nonce validation.

collector/mitre-cve
source/MITRE
agent/weakness
agent/title
agent/references
agent/type
agent/description
agent/first-publish-date
agent/guess-ai
agent/software-canonical-lookup
agent/software-canonical-lookup-request
agent/softwarecombine
collector/nvd-api
source/NVD
agent/last-modified-date
agent/source
agent/author
agent/severity
agent/tags
agent/event
vendor/vikrentcar
canonical/vikrentcar car rental management system

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.