WordPress Plugin Vulnerabilities

Weather Effect < 1.3.4 - CSRF to Stored Cross-Site Scripting

Description

The plugin does not have any CSRF checks in place when saving its settings, and do not validate or escape them, which could lead to Stored Cross-Site Scripting issue.

v1.3.4 fixed the CSRF, but not the sanitisation/escaping fully. Another issue has been created for it

Proof of Concept

Affects Plugins

Plugin icon
weather-effect
Fixed in 1.3.4

References

CVE
CVE-2021-24683

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.8 (high)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
54f95b51-5804-4bee-9e4a-f73b8ef9bbd5

Timeline

Publicly Published
2021-09-07 (about 4 years ago)
Added
2021-09-07 (about 4 years ago)
Last Updated
2023-01-30 (about 2 years ago)

Other

Published
Title
Published
2024-12-12
Title
Gaxx Keywords <= 0.2 - Cross-Site Request Forgery to Cross-Site Scripting
Published
2025-04-09
Title
Comment Validation Reloaded <= 0.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2023-09-22
Title
DoFollow Case by Case < 3.5.0 - Email&URLs Adding to Allowlist via CSRF
Published
2025-09-22
Title
Developer <= 1.2.6 - Cross-Site Request Forgery
Published
2023-10-06
Title
Urvanov Syntax Highlighter < 2.8.34 - Highlighting Blocks Mgt via CSRF