WordPress Plugin Vulnerabilities

Simple 301 Redirects < 2.0.8 - Cross-Site Request Forgery via 'clicked'

Description

The Simple 301 Redirects plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.7. This is due to missing or incorrect nonce validation on the 'clicked' function. This makes it possible for unauthenticated attackers to enable or disable click tracking via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
simple-301-redirects
Fixed in 2.0.8

References

URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9945c85b-a97a-4ad0-9d0a-69faf157563a

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (Medium)

Miscellaneous

Verified
No
WPVDB ID
0534f45c-4d0a-40f8-abac-71ca2409a738

Timeline

Publicly Published
2023-08-30 (about 2 years ago)
Added
2023-11-24 (about 2 years ago)
Last Updated
2023-11-29 (about 2 years ago)

Other

Published
Title
Published
2025-02-13
Title
Glance That <= 4.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-11-10
Title
YSlider <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-01-16
Title
go Social <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2023-03-16
Title
Website Monetization by MageNet < 1.0.29.2 - Cross-Site Request Forgery
Published
2024-11-23
Title
Idealien Category Enhancements <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting