WordPress Plugin Vulnerabilities

Sp*tify Play Button for WordPress < 2.11 - Settings Update via CSRF

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Affects Plugins

Plugin icon
spotify-play-button-for-wordpress
Fixed in 2.11

References

CVE
CVE-2023-41131
URL
https://patchstack.com/database/vulnerability/spotify-play-button-for-wordpress/wordpress-sp-tify-play-button-for-wordpress-plugin-2-10-cross-site-request-forgery-csrf-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
BuShiYue
Verified
No
WPVDB ID
33fca40f-2c16-40b4-8fd8-5e629d13e80e

Timeline

Publicly Published
2023-10-03 (about 2 years ago)
Added
2023-10-13 (about 2 years ago)
Last Updated
2024-03-11 (about 2 years ago)

Other

Published
Title
Published
2023-11-14
Title
WooCommerce Bookings < 2.0.4 - Cross-Site Request Forgery
Published
2025-05-07
Title
theMarketer < 1.4.8 - Stored XSS via CSRF
Published
2025-03-11
Title
REST API TO MiniProgram <= 4.7.1 - Cross-Site Request Forgery
Published
2022-11-14
Title
Follow Me Plugin <= 3.1.1 - Stored XSS via CSRF
Published
2025-02-13
Title
Simple Responsive Menu <= 2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting