WordPress Plugin Vulnerabilities

Enhanced Search Box <= 0.6.1 - Settings Update via CSRF

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
extended-search-plugin
No known fix

References

CVE
CVE-2024-8091

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://magos-securitas.com/
Verified
Yes
WPVDB ID
1ca90b81-7539-4a15-8c5a-39a8d96a74a2

Timeline

Publicly Published
2024-08-27 (about 1 year ago)
Added
2024-08-27 (about 1 year ago)
Last Updated
2024-08-27 (about 1 year ago)

Other

Published
Title
Published
2025-01-27
Title
Issuu Panel <= 2.1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2023-11-21
Title
UserPro < 5.1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via userpro_save_userdata
Published
2025-10-15
Title
SUMO Memberships for WooCommerce < 7.8.0 - Cross-Site Request Forgery
Published
2024-07-11
Title
Widgets Reset <= 0.1 - Settings Update via CSRF
Published
2022-01-05
Title
SupportCandy < 2.2.7 - CSRF to Cross-Site Scripting