WordPress Plugin Vulnerabilities

WP Opt-in <= 1.4.1 - Arbitrary Settings Update via CSRF

Description

The plugin is vulnerable to CSRF which allows changed plugin settings and can be used for sending spam emails.

Proof of Concept

Affects Plugins

Plugin icon
wp-opt-in
No known fix

References

CVE
CVE-2022-2123

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
46b634f6-92bc-4e00-a4c0-c25135c61922

Timeline

Publicly Published
2022-06-20 (about 3 years ago)
Added
2022-06-20 (about 3 years ago)
Last Updated
2023-03-25 (about 2 years ago)

Other

Published
Title
Published
2025-03-05
Title
Podlove Podcast Publisher < 4.2.3 - Cross-Site Request Forgery via ajax_transcript_delete Function
Published
2025-01-16
Title
EmailShroud <= 2.2.1 - Cross-Site Request Forgery to Reflected Cross-Site Scripting
Published
2025-01-16
Title
CNZZ&51LA for WordPress <= 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-07-19
Title
WP GoToWebinar < 15.8 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2022-01-03
Title
NextScripts: Social Networks Auto-Poster < 4.3.25 - Arbitrary Post Deletion via CSRF