WordPress Plugin Vulnerabilities

Digital Publications by Supsystic < 1.7.7 - Cross-Site Request Forgery via AJAX action

Description

The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the AJAX action handler. This makes it possible for unauthenticated attackers to execute AJAX actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
digital-publications-by-supsystic
Fixed in 1.7.7

References

CVE
CVE-2023-5756
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2304e4dc-0dc6-4ded-b8e6-8d76d70f63d7

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
3d832056-8ff6-4020-b344-f163e12bda29

Timeline

Publicly Published
2023-12-08 (about 2 years ago)
Added
2023-12-09 (about 2 years ago)
Last Updated
2024-01-24 (about 2 years ago)

Other

Published
Title
Published
2024-08-16
Title
oik < 4.12.1 - Cross-Site Request Forgery
Published
2025-04-24
Title
Wp Custom CMS Block <= 2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2021-06-30
Title
Alkubot < 3.0.0 - Unauthorised AJAX call via CSRF
Published
2023-10-13
Title
Pinpoint Booking System < 2.9.9.4.1 - Arbitrary Settings Update via CSRF
Published
2026-03-20
Title
Neos Connector for Fakturama <= 0.0.14 - Cross-Site Request Forgery to Settings Update