WordPress Plugin Vulnerabilities

Link Library < 7.2.8 - Library Settings Reset via CSRF

Description

The plugin does not have CSRF check when resetting library settings, allowing attackers to make a logged in admin reset arbitrary settings via a CSRF attack

Proof of Concept

https://example.com/wp-admin/admin.php?page=link-library-settingssets&settings=1&reset=1

Affects Plugins

Plugin icon
link-library
Fixed in 7.2.8

References

CVE
CVE-2021-25092

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
1cd30913-67c7-46c3-a2de-dcca0c332323

Timeline

Publicly Published
2021-12-30 (about 2 years ago)
Added
2021-12-30 (about 2 years ago)
Last Updated
2022-04-16 (about 2 years ago)

Other

Published
Title
Published
2024-04-11
Title
Counter Box < 1.2.4 - Counter Deletion via CSRF
Published
2024-04-19
Title
Regenerate post permalink <= 1.0.3 - Cross-Site Request Forgery
Published
2023-09-29
Title
Instant CSS < 1.2.2 - Theme/CSS/Minify/Preprocessor Data Update via CSRF
Published
2023-11-22
Title
WooCommerce Parcel Pro < 1.6.12 - Cross-Site Request Forgery
Published
2023-04-19
Title
GDPR Compliance & Cookie Consent < 1.3 - CSRF