The plugin does not protect its settings page against CSRF attacks, allowing an unauthenticated attacker to inject arbitrary web scripts by tricking a user with the contributor role or higher to click a link. The plugin does not protect its settings page against CSRF attacks, allowing an unauthenticated attacker to change the pluginβs settings, and on older versions (<= 2.7.0), inject arbitrary web-scripts, by tricking a logged in user with the contributor role or higher to click a link.
CPE | Name | Operator | Version |
---|---|---|---|
crm-customer-relationship-management-by-vcita | eq | * |