WordPress Plugin Vulnerabilities

Wp Ultimate Review < 2.3.1 - Settings Update via CSRF

Description

The plugin does not have CSRF check in place when updating some of its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Affects Plugins

Plugin icon
wp-ultimate-review
Fixed in 2.3.1

References

CVE
CVE-2023-46085
URL
https://patchstack.com/database/vulnerability/wp-ultimate-review/wordpress-wp-ultimate-review-plugin-2-2-4-cross-site-request-forgery-csrf-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
qilin_99
Verified
No
WPVDB ID
09b5112d-d14f-49de-bdbc-c02a130b4846

Timeline

Publicly Published
2023-10-22 (about 2 years ago)
Added
2023-10-23 (about 2 years ago)
Last Updated
2024-03-12 (about 2 years ago)

Other

Published
Title
Published
2024-07-20
Title
GamiPress - Reset User <= 1.0.0 - GamiPress User Data Removal via CSRF
Published
2025-11-29
Title
sIFR <= 0.6.8.1 - Cross-Site Request Forgery
Published
2023-11-23
Title
Simple Testimonials Showcase <= 1.1.5 - Cross-Site Request Forgery
Published
2023-02-28
Title
WP Film Studio < 1.3.5 - Arbitrary Plugin Activation via CSRF
Published
2023-02-08
Title
ColorWay <= 4.2.3 - Cross-Site Request Forgery