WordPress Plugin Vulnerabilities

Brave Popup Builder < 0.7.1 - Cross-Site Request Forgery

Description

The Brave Popup Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.7.0. This is due to missing or incorrect nonce validation on the bravepop_ajax_zoho_init_token() function. This makes it possible for unauthenticated attackers to save an integration token via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Fixed in 0.7.1

References

Classification

Miscellaneous

Original Researcher
Ananda Dhakal
Verified
No

Timeline

Publicly Published
2024-08-16 (about 1 year ago)
Added
2024-08-19 (about 1 year ago)
Last Updated
2024-08-19 (about 1 year ago)

Other