WordPress Plugin Vulnerabilities

New User Email Set Up <= 0.5.2 - Arbitrary Settings Update via CSRF

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
new-user-email-set-up
No known fix

References

CVE
CVE-2022-1790

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
176d5761-4f01-4173-a70c-6052a6a9963e

Timeline

Publicly Published
2022-05-23 (about 3 years ago)
Added
2022-05-23 (about 3 years ago)
Last Updated
2023-02-16 (about 2 years ago)

Other

Published
Title
Published
2025-01-29
Title
CP Contact Form with PayPal < 1.3.53 - Cross-Site Request Forgery
Published
2022-10-31
Title
Event Monster < 1.2.0 - Visitors Deletion via CSRF
Published
2025-02-13
Title
Global Meta Keyword & Description <= 2.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-09-24
Title
Premium Packages – Sell Digital Products Securely < 5.9.2 - Cross-Site Request Forgery
Published
2014-08-01
Title
Featured Comments 1.2.1 - wp-admin/admin-ajax.php Comment Status Manipulation CSRF