Taggbox <= 3.3 – Cross-Site Request Forgery | CVE 2023-33214 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to invoke this function via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVE-2023-45763 appears to be associated to this vulnerability as well.

Affects Plugins

No known fix

References

CVE

URL

https://patchstack.com/database/vulnerability/taggbox-widget/wordpress-taggbox-ugc-galleries-social-media-widgets-user-reviews-analytics-plugin-2-9-cross-site-request-forgery-csrf-vulnerability

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Jonas Höbenreich

Verified

No

WPVDB ID

2729d7db-3524-4407-be8c-9d85aec3c048

Timeline

Publicly Published

2023-10-12 (about 2 years ago)

Added

2023-11-23 (about 2 years ago)

Last Updated

2024-03-20 (about 2 years ago)

Other

Published

Title

Published

2023-10-16

Title

Sort SearchResult By Title < 11.0 - CSRF

Published

2024-11-01

Title

SmartLink Dynamic URLs < 1.1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2014-08-01

Title

GA Universal 1.0 - Setting Manipulation CSRF

Published

2025-04-09

Title

Scheduled <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-09-22

Title

Advanced Appointment Booking & Scheduling <= 1.9 - Cross-Site Request Forgery