Anti Hacker < 4.35 – Cross-Site Request Forgery via antihacker_ajax_scan | CVE 2023-50858 | Plugin Vulnerabilities

Description

The Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to 4.35 (exclusive). This is due to missing or incorrect nonce validation on the 'antihacker_ajax_scan' function. This makes it possible for unauthenticated attackers to start the plugin's scanning functionality via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Fixed in 4.35

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/a8ae5712-09a8-45a4-9f79-3e5b7786e652

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Mika

Verified

No

WPVDB ID

22f17668-e6d1-47c2-b88e-d6ee9f7da951

Timeline

Publicly Published

2023-12-22 (about 2 years ago)

Added

2024-01-04 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2024-04-18

Title

LetterPress <= 1.2.2 - Subscriber Deletion via CSRF

Published

2025-03-31

Title

Rich Text Editor <= 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2024-01-30

Title

Email Before Download <= 6.9.7 - Cross-Site Request Forgery

Published

2021-09-07

Title

Weather Effect < 1.3.4 - CSRF to Stored Cross-Site Scripting

Published

2023-05-16

Title

WP < 6.2.1 - Thumbnail Image Update via CSRF