WordPress Plugin Vulnerabilities

Ultimate Category Excluder < 1.2 - Cross-Site Request Forgery

Description

The plugin did not check for CSRF nonce in its options page, allowing attacker to perform CSRF attacks against logged in users.

Affects Plugins

Plugin icon
ultimate-category-excluder
Fixed in 1.2

References

CVE
CVE-2020-35135
URL
https://plugins.trac.wordpress.org/changeset/2434070

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
SCA AppSec
Verified
No
WPVDB ID
2dee07e5-a931-4bd8-ac21-bb334e492fef

Timeline

Publicly Published
2020-12-11 (about 5 years ago)
Added
2020-12-11 (about 5 years ago)
Last Updated
2020-12-12 (about 5 years ago)

Other

Published
Title
Published
2024-04-11
Title
WP Compress – Image Optimizer [All-In-One] < 6.11.01 - Cross-Site Request Forgery
Published
2023-02-14
Title
NextGEN Gallery < 3.29 - Thumbnail Deletion via CSRF
Published
2024-12-16
Title
User Role Editor < 4.64.4 - Cross-Site Request Forgery to Privilege Escalation
Published
2026-01-15
Title
Related Posts Thumbnails Plugin for WordPress <= 4.3.1 - Cross-Site Request Forgery
Published
2025-01-07
Title
Admin debug wordpress – enable debug <= 1.0.13 - Cross-Site Request Forgery