WordPress Plugin Vulnerabilities

ILC Thickbox <= 1.0 - Settings update via CSRF

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
ilc-thickbox
No known fix

References

CVE
CVE-2024-7820

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://magos-securitas.com/
Verified
Yes
WPVDB ID
31b2c97b-2458-43ee-93db-e57968ac8455

Timeline

Publicly Published
2024-08-22 (about 1 year ago)
Added
2024-08-22 (about 1 year ago)
Last Updated
2024-08-22 (about 1 year ago)

Other

Published
Title
Published
2023-02-02
Title
Robo Gallery < 3.2.11 - Plugin Activation/Deactivation via CSRF
Published
2025-02-24
Title
Simple Google Sitemap <= 1.6 - Cross-Site Request Forgery
Published
2025-01-16
Title
Category Custom Fields <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2022-05-23
Title
LaTeX for WordPress <= 3.4.10 - Arbitrary Settings Update via CSRF to Stored XSS
Published
2024-06-20
Title
Chic Lite < 1.1.4 - Cross-Site Request Forgery to Notice Dismissal