WordPress Plugin Vulnerabilities

MicroPayments < 1.9.6 - Arbitrary Settings Update via CSRF

Description

The plugin does not have CSRF in place when updating its settings, which could allow attacker to make a logged in admin perform such action via a CSRF attack

Affects Plugins

Plugin icon
paid-membership
Fixed in 1.9.6

References

CVE
CVE-2022-27629
URL
http://jvn.jp/en/jp/JVN31606885/

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Kosuke Sakai
Verified
Yes
WPVDB ID
0826ee44-35ef-4d17-a72f-1b2958c687cd

Timeline

Publicly Published
2022-04-15 (about 4 years ago)
Added
2022-04-19 (about 4 years ago)
Last Updated
2022-04-20 (about 4 years ago)

Other

Published
Title
Published
2024-06-12
Title
Himer - Social Questions and Answers < 2.1.1 - Multiple CSRF on the Group Section
Published
2019-06-18
Title
The Official Facebook Chat Plugin < 1.3 - CSRF
Published
2024-12-02
Title
Maspik – Spam blacklist < 2.2.8 - Cross-Site Request Forgery to Plugin Settings Change
Published
2011-03-17
Title
WP Recaptcha < 3.0 - Multiple CSRF
Published
2024-04-10
Title
Feather Login Page < 1.1.6 - Cross-Site Request Forgery via saveData()