WordPress Plugin Vulnerabilities

WP-Matomo Integration (WP-Piwik) < 1.0.27 - Plugin Settings Reset via CSRF

Description

The plugin does not have CSRF when resetting its settings, which could allow attackers to make a logged in admin reset them via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
wp-piwik
Fixed in 1.0.27

References

URL
https://plugins.trac.wordpress.org/changeset/2674643

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Jan w Oleju
Submitter
Jan w Oleju
Verified
Yes
WPVDB ID
19d30053-3d57-4a16-a339-c15c84b5ca32

Timeline

Publicly Published
2022-02-14 (about 4 years ago)
Added
2022-02-14 (about 4 years ago)
Last Updated
2022-02-14 (about 4 years ago)

Other

Published
Title
Published
2025-06-05
Title
Anti-Spam: Spam Protection < 2025 - Multiple Administrative Actions via CSRF
Published
2025-08-15
Title
LatestCheckins <= 1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-12-12
Title
Youtube Video Grid <= 1.9 - Cross-Site Request Forgery
Published
2020-02-05
Title
WP Fastest Cache < 0.9.0.3 - Cross-Site Request Forgery (CSRF) Arbitrary File Deletion
Published
2025-09-26
Title
Instapage Plugin < 3.7.1 - Cross-Site Request Forgery