WordPress Plugin Vulnerabilities

Auto Login New User After Registration <= 1.9.6 - Stored XSS via CSRF

Description

The plugin does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

Affects Plugins

Plugin icon
auto-login-new-user-after-registration
No known fix

References

CVE
CVE-2023-46201

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
7.1 (high)

Miscellaneous

Original Researcher
LEE SE HYOUNG
Verified
No
WPVDB ID
535abeba-4afc-401a-9ee6-f4cfb36f7fa9

Timeline

Publicly Published
2023-10-19 (about 2 years ago)
Added
2023-11-15 (about 2 years ago)
Last Updated
2023-11-15 (about 2 years ago)

Other

Published
Title
Published
2024-08-15
Title
Download Plugins and Themes from Dashboard < 1.8.8 - Cross-Site Request Forgery
Published
2023-10-03
Title
Marker.io < 1.1.7 - Cross-Site Request Forgery
Published
2017-04-06
Title
Twitter Cards Meta < 2.5.0 - CSRF and XSS
Published
2022-12-05
Title
Multiple YITH WooCommerce plugins - Cross-Site Scripting via shortcode ajax
Published
2024-11-01
Title
While Loading <= 3.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting