Themes Vulnerabilities

WPLMS < 4.900 - Cross-Site Request Forgery

Description

The plugin does not adequately verify requests use nonces, making it susceptible to Cross-Site Request Forgery (CSRF) attacks.

Affects Themes

wplms
Fixed in 4.900

References

CVE
CVE-2023-36690
URL
https://patchstack.com/database/vulnerability/wplms/wordpress-wplms-theme-4-600-cross-site-request-forgery-csrf-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.1 (high)

Miscellaneous

Original Researcher
Dave Jong
Verified
No
WPVDB ID
29c8a1d1-37c2-4e07-a0f9-93ae74dc7121

Timeline

Publicly Published
2023-07-05 (about 2 years ago)
Added
2023-07-11 (about 2 years ago)
Last Updated
2023-07-11 (about 2 years ago)

Other

Published
Title
Published
2025-09-26
Title
Flytedesk Digital <= 20181101 - Cross-Site Request Forgery
Published
2022-02-07
Title
WordPress Real Cookie Banner < 2.14.2 - Settings Reset via CSRF
Published
2024-11-01
Title
Skip To <= 2.0.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-04-17
Title
Broken Links Remover <= 1.2.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2022-01-13
Title
Universal Star Rating <= 2.1.0 - CSRF