WordPress Plugin Vulnerabilities

EnvíaloSimple < 2.3 - API Key Update via CSRF

Description

The plugin does not have CSRF check when updating its API Key, which could allow attackers to make logged in users perform such action via a CSRF attack

Affects Plugins

Plugin icon
envialosimple-email-marketing-y-newsletters-gratis
Fixed in 2.3

References

CVE
CVE-2023-51416
URL
https://patchstack.com/database/vulnerability/envialosimple-email-marketing-y-newsletters-gratis/wordpress-envialosimple-plugin-2-1-cross-site-request-forgery-csrf-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
1db41efa-1e26-4acc-88e4-b4cc9a4e289c

Timeline

Publicly Published
2023-12-27 (about 2 years ago)
Added
2024-01-04 (about 2 years ago)
Last Updated
2025-03-24 (about 1 year ago)

Other

Published
Title
Published
2025-01-07
Title
Uptime Robot <= 0.1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-12-04
Title
Norby AI <= 1.0.3 - Cross-Site Request Forgery to Settings Update
Published
2024-04-11
Title
Crony Cronjob Manager <= 0.5.0 - Cross-Site Request Forgery
Published
2024-12-19
Title
WP Nice Loader <= 0.1.0.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-05-03
Title
Restaurant and Cafe < 1.2.2 - Cross-Site Request Forgery to Notice Dismissal