WordPress Plugin Vulnerabilities

WP Championship < 9.3 - Multiple CSRF

Description

The plugin is lacking CSRF checks in various places, allowing attackers to make a logged in admin perform unwanted actions, such as create and delete arbitrary teams as well as update the plugin's settings. Due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues

Proof of Concept

Affects Plugins

Plugin icon
wp-championship
Fixed in 9.3

References

CVE
CVE-2022-1967

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
02d25736-c796-49bd-b774-66e0e3fcf4c9

Timeline

Publicly Published
2022-06-16 (about 3 years ago)
Added
2022-06-13 (about 3 years ago)
Last Updated
2023-03-13 (about 2 years ago)

Other

Published
Title
Published
2025-09-05
Title
Responder < 4.4.0 - Cross-Site Request Forgery
Published
2023-01-04
Title
JetWidgets for Elementor < 1.0.13 - Settings Update via CSRF
Published
2025-01-16
Title
add custom google tag manager <= 1.0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2023-09-05
Title
WP Gallery Metabox <= 1.0.0 - Settings Update via CSRF
Published
2025-02-17
Title
Reset < 1.7 - Cross-Site Request Forgery to Database Reset