WordPress Plugin Vulnerabilities

Schema - All In One Schema Rich Snippets < 1.6.6 - Multiple CSRF

Description

The plugin does not properly validate a user intended to do an action, which they could have done using nonce checks. This makes it possible for attackers to conduct CSRF attacks against an unsuspecting administrator, tricking their browser into editing some of the plugin's settings.

Affects Plugins

Plugin icon
all-in-one-schemaorg-rich-snippets
Fixed in 1.6.6

References

CVE
CVE-2023-25058

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Rio Darmawan
Submitter
Chris Grello
Verified
Yes
WPVDB ID
0b4fcc15-7b1b-4f76-83ca-f70e3362cae6

Timeline

Publicly Published
2023-02-16 (about 3 years ago)
Added
2023-03-30 (about 3 years ago)
Last Updated
2023-03-30 (about 3 years ago)

Other

Published
Title
Published
2025-04-09
Title
Windows Live Writer <= 0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2021-08-16
Title
Rucy <= 0.4.4 - Cross-Site Request Forgery
Published
2025-04-09
Title
Vite Coupon < 1.0.10 - Remote Code Execution via CSRF
Published
2025-02-18
Title
Disable Auto Updates <= 1.4 - Cross-Site Request Forgery to Auto-update Disable
Published
2025-11-10
Title
WP-Walla <= 0.5.3.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting