WordPress Plugin Vulnerabilities

AnyMind Widget <= 1.1 - Stored Cross-Site Scripting via CSRF

Description

The plugin does not have CSRF check in place when updating the setWidgetId setting, and does not have sanitisation as well as escaping applied to it, which could allow attackers to make a logged in admin put a Cross-Site Scripting payload in it via CSRF attack

Affects Plugins

Plugin icon
anymind-widget
No known fix

References

CVE
CVE-2022-2251

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Sho Sakata
Verified
Yes
WPVDB ID
668d789c-d736-45e8-8a6e-763e9bcf2f9e

Timeline

Publicly Published
2022-07-05 (about 3 years ago)
Added
2022-07-05 (about 3 years ago)
Last Updated
2023-04-09 (about 3 years ago)

Other

Published
Title
Published
2025-04-09
Title
Buddypress Humanity <= 1.2 - Cross-Site Request Forgery to Privilege Escalation
Published
2025-05-07
Title
Easy PayPal Events < 1.3 - Cross-Site Request Forgery
Published
2023-07-17
Title
Front End Users < 3.2.25 - Cross-Site Request Forgery
Published
2023-11-29
Title
Debug Log Manager < 2.2.2 - Debug Log Clearing via CSRF
Published
2025-06-27
Title
WooCommerce PDF Invoice Builder < 1.2.149 - Cross-Site Request Forgery