WordPress Plugin Vulnerabilities

Webpushr < 4.35.0 - LFI via CSRF

Description

The plugin does not have CSRF check in its wpp_save_settings() function, and does not validate the menu parameter, allowing attackers to make logged in users admins perform LFI attacks via CSRF

Affects Plugins

Plugin icon
webpushr-web-push-notifications
Fixed in 4.35.0

References

CVE
CVE-2023-35041

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.0 (medium)

Miscellaneous

Original Researcher
Theodoros Malachias
Verified
No
WPVDB ID
55ec85e4-f3f3-41d3-8547-1c13526e9c1c

Timeline

Publicly Published
2023-10-19 (about 2 years ago)
Added
2023-11-14 (about 2 years ago)
Last Updated
2023-11-14 (about 2 years ago)

Other

Published
Title
Published
2025-04-16
Title
Bulk Term Editor <= 1.1.4 - Cross-Site Request Forgery
Published
2023-01-05
Title
Social Warfare < 4.4.0 - Post Meta Deletion via CSRF
Published
2019-07-17
Title
WP Code Highlight.js < 0.6.3 - CSRF to Stored XSS
Published
2025-10-30
Title
I Order Terms < 1.5.1 - Cross-Site Request Forgery
Published
2019-04-23
Title
Contact Form Builder <= 1.0.68 - CSRF to LFI