Lucene search
PRIOn knowledge basePRION:CVE-2023-4247HistoryJan 11, 2024 - 9:15 a.m.
Cross site request forgery (csrf)
2024-01-1109:15:00
PRIOn knowledge base
www.prio-n.com
5
wordpress
givewp
cross-site request forgery
vulnerable
nonce validation
sendwp plugin
unauthenticated attackers
deactivate
The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.33.3. This is due to missing or incorrect nonce validation on the give_sendwp_disconnect function. This makes it possible for unauthenticated attackers to deactivate the SendWP plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
References
plugins.trac.wordpress.org/browser/give/trunk/includes/admin/misc-functions.php?rev=2772225
plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2974851%40give%2Ftrunk&old=2973080%40give%2Ftrunk&sfp_email=&sfph_mail=
www.wordfence.com/threat-intel/vulnerabilities/id/e32d9104-5a39-4455-b76a-e24ae787bdfd?source=cve
Related
cve
cve
CVE-2023-4247
2024-01-11 09:15:46
cvelist
cvelist
CVE-2023-4247
2024-01-11 08:33:05
nvd
nvd
CVE-2023-4247
2024-01-11 09:15:46
wpvulndb
wpvulndb
GiveWP < 2.33.4 - Cross-Site Request Forgery to plugin deactivation
2023-11-24 00:00:00
wordfence
wordfence