WordPress Plugin Vulnerabilities

Marketing Twitter Bot <= 1.11 - Settings Update to Stored XSS via CSRF

Description

The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
wordpress-twitterbot
No known fix

References

CVE
CVE-2023-7197
URL
https://magos-securitas.com/txt/CVE-2023-7197.txt

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://magos-securitas.com
Verified
Yes
WPVDB ID
26deaa7c-e331-42a0-9310-31d08871154c

Timeline

Publicly Published
2024-01-23 (about 1 year ago)
Added
2024-01-23 (about 1 year ago)
Last Updated
2024-01-23 (about 1 year ago)

Other

Published
Title
Published
2019-08-09
Title
WP SVG Icons <= 3.2.2 - Cross-Site Request Forgery (CSRF) leading to RCE
Published
2025-12-02
Title
ShopEngine < 4.8.6 - Cross-Site Request Forgery to Wishlist Manipulation
Published
2025-10-24
Title
Simple Registration for WooCommerce < 1.5.9 - Cross-Site Request Forgery to Privilege Escalation via Role Request Approval
Published
2025-02-13
Title
Bootstrap collapse <= 1.0.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-03-24
Title
Yummly Rich Recipes <= 4.2 - Cross-Site Request Forgery