WordPress Plugin Vulnerabilities

Crowdsignal Dashboard < 3.1.0 - Rating Update via CSRF

Description

The plugin does not have CSRF check in its update_rating() function, which could allow attackers to make logged in users admins update ratings via a CSRF attack

Affects Plugins

Plugin icon
polldaddy
Fixed in 3.1.0

References

CVE
CVE-2023-51489
URL
https://patchstack.com/database/vulnerability/polldaddy/wordpress-crowdsignal-polls-ratings-plugin-3-0-11-cross-site-request-forgery-csrf-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
29c98f5f-e0bf-479d-b80c-fcf0b2df2ba8

Timeline

Publicly Published
2023-12-27 (about 2 years ago)
Added
2024-01-04 (about 2 years ago)
Last Updated
2024-01-04 (about 2 years ago)

Other

Published
Title
Published
2023-02-22
Title
Auto Affiliate Links < 6.3.0.3 - Settings Update via CSRF
Published
2025-01-07
Title
Laika Pedigree Tree <= 1.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-09-22
Title
WPMK PDF Generator <= 1.0.1 - Cross-Site Request Forgery
Published
2025-06-27
Title
IS-theme-companion <= 1.59 - Cross-Site Request Forgery
Published
2025-01-17
Title
ShipWorks Connector for Woocommerce < 5.2.6 - Cross-Site Request Forgery to Service Password/Username Update