WordPress Plugin Vulnerabilities

Pop-up < 1.1.6 - Arbitrary Settings Update via CSRF

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Affects Plugins

Plugin icon
pop-up-pop-up
Fixed in 1.1.6

References

CVE
CVE-2022-38070

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Tien Nguyen Anh
Verified
No
WPVDB ID
56174ffb-3d34-48f4-acb1-a7aa799db1e1

Timeline

Publicly Published
2022-09-02 (about 3 years ago)
Added
2022-09-14 (about 3 years ago)
Last Updated
2022-09-14 (about 3 years ago)

Other

Published
Title
Published
2024-07-01
Title
pz-frontend-manager < 1.0.6 - CSRF change user profile picture
Published
2025-03-27
Title
Serial Codes Generator and Validator with WooCommerce Support < 2.7.8 - Cross-Site Request Forgery via [placeholder]
Published
2024-11-28
Title
Custom Post Type to Map Store <= 1.1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2023-10-13
Title
WhitePage <= 1.1.5 - Arbitrary Settings Update via CSRF
Published
2022-04-29
Title
Subscribe To Comments Reloaded < 220502 - Multiple CSRF