WordPress Plugin Vulnerabilities

For the visually impaired <= 0.58 - Cross-Site Request Forgery (CSRF)

Description

The plugin does not protect its vi_plugin_setup_menu function against CSRF attacks, allowing an unauthenticated attacker to update plugin settings by tricking a logged in user to submit a crafted request.

Affects Plugins

Plugin icon
for-the-visually-impaired
No known fix

References

CVE
CVE-2023-25038
URL
https://patchstack.com/database/vulnerability/for-the-visually-impaired/wordpress-for-the-visually-impaired-plugin-0-58-cross-site-request-forgery-csrf-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Rio Darmawan
Verified
No
WPVDB ID
233a0e68-194b-4913-8bc4-81506cd20b6c

Timeline

Publicly Published
2023-02-23 (about 3 years ago)
Added
2023-05-29 (about 2 years ago)
Last Updated
2023-05-29 (about 2 years ago)

Other

Published
Title
Published
2026-01-06
Title
SVG Map Plugin <= 1.0.0 - Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting
Published
2023-05-31
Title
bbPress Toolkit <= 1.0.12 - Cross-Site Request Forgery
Published
2024-10-28
Title
CM Table Of Contents – WordPress TOC Plugin < 1.2.3 - Settings Reset via CSRF
Published
2025-04-17
Title
Revision Diet <= 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-12-12
Title
WordPress Filter <= 1.4.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting