WordPress Plugin Vulnerabilities

Bitcoin / Altcoin Faucet <= 1.6.0 - Settings Update to Stored XSS via CSRF

Description

The plugin does not have any CSRF check when saving its settings, allowing attacker to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues

Proof of Concept

Affects Plugins

Plugin icon
bitcoin-faucet
No known fix

References

CVE
CVE-2022-3025

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Lana Codes
Submitter
Lana Codes
Submitter website
https://lana.codes/
Submitter twitter
LanaCodes
Verified
Yes
WPVDB ID
66bc783b-67e1-4bd0-99c0-322873b3a22a

Timeline

Publicly Published
2022-08-31 (about 3 years ago)
Added
2022-08-31 (about 3 years ago)
Last Updated
2022-08-31 (about 3 years ago)

Other

Published
Title
Published
2024-10-15
Title
ElementsReady Addons for Elementor < 6.4.4 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Published
2024-06-10
Title
WordPress Online Booking and Scheduling Plugin – Bookly < 23.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Color Profile Parameter
Published
2024-04-16
Title
HT Mega < 2.4.9 - Contributor+ Stored XSS via Accordion/FAQ
Published
2018-01-12
Title
Booking Calendar <= 2.1.7 - Authenticated Stored XSS & CSRF
Published
2025-12-11
Title
LJUsers <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'name' Shortcode Attribute