Lucene search

K
wpvulndbDaniel RufWPVDB-ID:4098B18D-6FF3-462C-AF05-48ADB6599CF3
HistoryJan 03, 2024 - 12:00 a.m.

Custom User CSS <= 0.2 - Settings Update via CSRF

2024-01-0300:00:00
Daniel Ruf
wpscan.com
10
csrf
security
plugin
admin
settings

AI Score

6.3

Confidence

High

EPSS

0.001

Percentile

32.5%

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.

PoC

Create an HTML form with the following content and make a logged in admin open it

AI Score

6.3

Confidence

High

EPSS

0.001

Percentile

32.5%

Related for WPVDB-ID:4098B18D-6FF3-462C-AF05-48ADB6599CF3