WordPress Plugin Vulnerabilities

Strong Testimonials < 2.51.3 - Unauthorised AJAX Call

Description

The plugin did not propely check for CSRF and authorisation in all the wpmtst_add_field_*_function functions, allowing unauthorised call of the associated AJAX actions either via low privilege users or CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
strong-testimonials
Fixed in 2.51.3

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
6b3b337d-e8d6-4fae-b17a-dc6ec49b039d

Timeline

Publicly Published
2021-06-30 (about 4 years ago)
Added
2021-06-30 (about 4 years ago)
Last Updated
2021-06-30 (about 4 years ago)

Other

Published
Title
Published
2015-06-04
Title
zM Ajax Login & Register 1.0.9 - Local File Inclusion & XSS
Published
2014-08-01
Title
Google Alert And Twitter 3.1.5 - XSS Exploit, SQL Injection
Published
2019-07-08
Title
Rencontre – Dating Site <= 3.1.2 - SQLi & XSS
Published
2016-05-18
Title
Fluid Responsive Slideshow < 2.2.7 - CSRF & XSS
Published
2014-09-21
Title
Login Widget With Shortcode 3.1.1 - CSRF/XSS