WordPress Plugin Vulnerabilities

Browser Theme Color < 1.4 - Settings Update via CSRF

Description

The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the 'btc_settings_page' function. This makes it possible for unauthenticated attackers to modify the plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
browser-theme-color
Fixed in 1.4

References

CVE
CVE-2024-22291
URL
https://patchstack.com/database/wordpress/plugin/browser-theme-color/vulnerability/wordpress-browser-theme-color-plugin-1-3-cross-site-request-forgery-csrf-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Nguyen Xuan Chien
Verified
No
WPVDB ID
3009b492-bfd3-4e7e-b95c-4e8673d8cf02

Timeline

Publicly Published
2024-01-17 (about 2 years ago)
Added
2024-01-19 (about 2 years ago)
Last Updated
2025-05-27 (about 11 months ago)

Other

Published
Title
Published
2025-05-07
Title
Product Quantity Dropdown For Woocommerce < 1.3 - Cross-Site Request Forgery
Published
2022-01-13
Title
PHP Everywhere < 2.0.3 - Arbitrary Settings Update via CSRF
Published
2024-04-12
Title
SEO Booster < 3.8.10 - Cross-Site Request Forgery
Published
2025-01-06
Title
ThePerfectWedding.nl Widget < 2.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-12-11
Title
RTL Tester <= 1.2 - Cross-Site Request Forgery