WordPress Plugin Vulnerabilities

Amazonify <= 0.8.1 - Cross-Site Request Forgery to Amazon Tracking ID Update

Description

The Amazonify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.8.1. This is due to missing or incorrect nonce validation on the amazonifyOptionsPage() function. This makes it possible for unauthenticated attackers to update the plugins settings, including the Amazon Tracking ID, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
amazonify
No known fix

References

CVE
CVE-2023-5818
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/33f3c466-bdeb-402f-bf34-bc703f35e1e2

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Ala Arfaoui
Verified
No
WPVDB ID
6f585c85-22b7-491e-8124-5ad6e7efcf4f

Timeline

Publicly Published
2023-11-07 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2025-02-27
Title
RateMyAgent Official < 1.5.0 - Cross-Site Request Forgery to API Key Update
Published
2024-04-10
Title
BEAR <= 1.1.4.1 & WOLF <= 1.0.8.1 - Cross-Site Request Forgery to Notice Dismissal
Published
2014-08-01
Title
NextGEN Gallery <= 1.8.3 - XXS & CSRF
Published
2023-02-28
Title
Real Estate 7 < 3.3.5 - Reflected XSS
Published
2025-01-16
Title
Email on Publish <= 1.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting