WordPress Plugin Vulnerabilities

WP Quick FrontEnd Editor <= 5.5 - Authenticated Content Injection

Description

The AJAX action save_content_front lack any capability and CSRF checks, allowing low privilege users to modify any page or post from the blog. This could also lead to XSS via a CSRF attack on a logged in high privilege user.

Affects Plugins

Plugin icon
wp-quick-front-end-editor
No known fix

References

URL
https://blog.nintechnet.com/multiple-vulnerabilities-in-wordpress-wp-quick-frontend-editor-plugin-unpatched/

Classification

Type
CONTENT INJECTION
OWASP top 10
A1: Injection
CWE
CWE-345
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Jerome Bruandet (nintechnet)
Verified
No
WPVDB ID
21de3b4e-aa30-493b-993a-522f56da821e

Timeline

Publicly Published
2021-01-12 (about 5 years ago)
Added
2021-01-12 (about 5 years ago)
Last Updated
2021-01-14 (about 5 years ago)

Other

Published
Title
Published
2026-02-26
Title
Fluent Forms Pro Add On Pack < 6.1.18 - Missing Authorization to Unauthenticated Payment Status modification
Published
2021-07-12
Title
Frontend File Manager < 18.3 - Unauthenticated HTML Injection
Published
2026-01-15
Title
Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit < 5.1.3 - Unauthenticated Order Status Manipulation
Published
2026-02-21
Title
The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce < 6.4.8 - Unauthenticated Email Relay
Published
2023-10-03
Title
WP Content Pilot – Autoblogging & Affiliate Marketing Plugin < 1.3.4 - Authenticated (Contributor+) Content Injection