WordPress Plugin Vulnerabilities

Staff Directory < 4.0 - Cross-Site Request Forgery (CSRF)

Description

The plugin does not protect some of its actions against CSRF attacks, allowing an unauthenticated attacker to perform actions on their behalf by tricking a logged in user to submit a crafted request.

Affects Plugins

Plugin icon
staff-directory-pro
Fixed in 4.0

References

CVE
CVE-2021-4397
URL
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Jerome Bruandet
Verified
No
WPVDB ID
33948852-8fc1-414f-807c-d725875193bd

Timeline

Publicly Published
2021-06-21 (about 4 years ago)
Added
2023-07-04 (about 2 years ago)
Last Updated
2023-07-04 (about 2 years ago)

Other

Published
Title
Published
2025-09-26
Title
Professional Contact Form <= 1.0.0 - Cross-Site Request Forgery to Test Email Sending
Published
2022-04-14
Title
Fancy Product Designer < 4.7.6 - Arbitrary File Upload via CSRF
Published
2014-09-28
Title
W3 Total Cache 0.9.4 - Edge Mode Enabling CSRF
Published
2024-08-01
Title
Tutor LMS < 2.7.3 - Cross-Site Request Forgery
Published
2025-04-09
Title
Foliopress WYSIWYG <= 2.6.18 - Cross-Site Request Forgery to Stored Cross-Site Scripting