WordPress Plugin Vulnerabilities

Ultimate Member < 2.6.1 - Form Duplication via CSRF

Description

The plugin does not have CSRF checks when duplicating a form, which could allow attackers to make logged in admins perform such actions via a CSRF attack.

Affects Plugins

Plugin icon
ultimate-member
Fixed in 2.6.1

References

CVE
CVE-2023-31216
URL
https://patchstack.com/database/vulnerability/ultimate-member/wordpress-ultimate-member-plugin-2-6-0-cross-site-request-forgery-csrf-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Verified
Yes
WPVDB ID
5273966e-9e0f-4687-8738-07ffa974571d

Timeline

Publicly Published
2023-05-30 (about 2 years ago)
Added
2023-07-18 (about 2 years ago)
Last Updated
2023-07-18 (about 2 years ago)

Other

Published
Title
Published
2021-10-04
Title
Paypal Donation < 1.3.1 - CSRF to Stored Cross-Site Scripting
Published
2024-03-01
Title
Master Slider < 3.10.0 - Sliders Deletion via CSRF
Published
2021-06-30
Title
Woocommerce Tabs Plugin, Add Custom Product Tabs <= 1.0.1 - Arbitrary Tab Deletion/Edition via CSRF
Published
2020-11-19
Title
Contextual Related Posts < 2.9.4 - CSRF Nonce Validation Bypass
Published
2023-01-04
Title
FL3R FeelBox <= 8.1 - Moods Reset via CSRF