WordPress Plugin Vulnerabilities

Affiliate Booster < 3.0.6 - Blocks Enabling/Disabling via CSRF

Description

The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the process_bulk_action function. This makes it possible for unauthenticated attackers to enable or disable all blocks via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
affiliatebooster-blocks
Fixed in 3.0.6

References

CVE
CVE-2023-49148
URL
https://patchstack.com/database/vulnerability/affiliatebooster-blocks/wordpress-affiliate-booster-plugin-3-0-4-cross-site-request-forgery-csrf-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
LEE SE HYOUNG
Verified
Yes
WPVDB ID
721ae45f-008e-4ec0-873d-af3a00d79a6a

Timeline

Publicly Published
2023-11-28 (about 2 years ago)
Added
2023-12-08 (about 2 years ago)
Last Updated
2024-03-14 (about 2 years ago)

Other

Published
Title
Published
2026-01-28
Title
UsersWP < 1.2.54 - Cross-Site Request Forgery
Published
2025-04-01
Title
Uptime Robot Plugin for WordPress <= 2.3 - Cross-Site Request Forgery
Published
2024-05-13
Title
Clearfy Cache < 2.3.3 - Cross-Site Request Forgery
Published
2025-10-13
Title
Block Country <= 1.0 - Cross-Site Request Forgery
Published
2021-09-11
Title
WP Statistics < 13.1.2 - Arbitrary Plugin Activation/Deactivation via CSRF