Multi-column Tag Map < 17.0.27 – Cross-Site Request Forgery | CVE 2023-41651 | Plugin Vulnerabilities

Description

The Multi-column Tag Map plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the sc_mcTagMap_plugin_options() function in versions up to, and including, 17.0.26. This makes it possible for unauthenticated attackers to update the plugin's setting, via a forged request granted they can trick the site's administrator into performing an action such as clicking on a link.

Affects Plugins

multi-column-tag-map

Fixed in 17.0.27

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/d2a60cb2-fe7d-4c51-9995-5cb4682d9d26

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Rio Darmawan

Verified

No

WPVDB ID

4f419212-cdaa-4c59-a007-044cb8db06e2

Timeline

Publicly Published

2023-09-01 (about 2 years ago)

Added

2023-11-23 (about 2 years ago)

Last Updated

2023-11-30 (about 2 years ago)

Other

Published

Title

Published

2025-01-31

Title

DigiTimber cPanel Integration < 1.4.8 - Cross-Site Request Forgery to Stored Cross-site Scripting

Published

2024-07-17

Title

Cooked – Recipe Management < 1.8.0 - Cross-Site Request Forgery to Template Apply

Published

2024-03-19

Title

Woomotiv < 3.5.0 - Review Count Reset via CSRF

Published

2024-04-22

Title

YITH WooCommerce Compare < 2.38.0 - Cross-Site Request Forgery

Published

2025-05-16

Title

WP Ultimate Tours Builder <= 1.055 - Cross-Site Request Forgery