WordPress Plugin Vulnerabilities

Qtranslate Slug <= 1.1.18 - Cross-Site Request Forgery

Description

The plugin does not correctly validate nonces in the save_postdata() function, which could lead to Cross-Site Request Forgery. This may enable unauthenticated users to save post data via a fraudulent request if they can deceive a site administrator into clicking on a manipulated link.

Affects Plugins

Plugin icon
qtranslate-slug
No known fix

References

CVE
CVE-2021-4410
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9d682596-c32d-4abd-ba39-b57fc45c9ce0

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Jerome Bruandet
Verified
No
WPVDB ID
6db55992-939c-43d8-97a0-2f3f687b47d7

Timeline

Publicly Published
2021-06-08 (about 4 years ago)
Added
2023-07-12 (about 2 years ago)
Last Updated
2023-07-12 (about 2 years ago)

Other

Published
Title
Published
2014-08-01
Title
Curvo - wp-content/themes/curvo/functions/upload-h&ler.php File Upload CSRF
Published
2024-01-03
Title
Custom User CSS <= 0.2 - Settings Update via CSRF
Published
2022-06-06
Title
MyCSS <= 1.1 - Arbitrary Settings Update via CSRF
Published
2023-10-03
Title
Short URL <= 1.6.8 - CSRF
Published
2025-05-07
Title
WP Compress < 6.30.31 - Cross-Site Request Forgery