WordPress Plugin Vulnerabilities

Realia <= 1.4.0 - User Email Change via Cross-Site Request Forgery

Description

The plugin does not protect its process_change_profile_form action against CSRF attacks, allowing an unauthenticated attacker to change a users email by tricking a logged in administrator to submit a crafted request.

Affects Plugins

Plugin icon
realia
No known fix

References

CVE
CVE-2023-4277
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/realia/realia-140-cross-site-request-forgery-to-user-email-change

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
16d7c3b0-1b82-4111-8ff4-62edfb5b107d

Timeline

Publicly Published
2023-08-09 (about 2 years ago)
Added
2023-08-10 (about 2 years ago)
Last Updated
2023-08-10 (about 2 years ago)

Other

Published
Title
Published
2023-10-16
Title
Social Media Share Buttons & Social Sharing Icons < 2.8.6 - Arbitrary Settings Update via CSRF
Published
2026-03-25
Title
Conditional Menus < 1.2.7 - Cross-Site Request Forgery to Menu Options Update
Published
2025-01-24
Title
Subscription DNA < 2.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-02-26
Title
Gestpay for WooCommerce < 20240307 - Cross-Site Request Forgery (CSRF) via ajax_set_default_card
Published
2025-06-19
Title
Live Sports Streamthunder <= 2.1 - Cross-Site Request Forgery