WordPress Plugin Vulnerabilities

Page Builder by AZEXO <= 1.27.133 - Cross-Site Request Forgery (CSRF)

Description

The plugin does not protect the ajax actions azh_add_post, azh_duplicate_post, azh_update_post and azh_remove_post against CSRF attacks, allowing an unauthenticated attacker to add, modify and delete posts by tricking a logged in user to submit a crafted request.

Affects Plugins

Plugin icon
page-builder-by-azexo
No known fix

References

CVE
CVE-2023-3052
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/page-builder-by-azexo/page-builder-by-azexo-127133-cross-site-request-forgery-to-post-creationmodificationdeletion

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.3 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
746c40e3-0728-42db-bb81-1c8bb63284f5

Timeline

Publicly Published
2023-06-02 (about 2 years ago)
Added
2023-06-03 (about 2 years ago)
Last Updated
2023-06-03 (about 2 years ago)

Other

Published
Title
Published
2024-11-01
Title
Random Featured Post <= 1.1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2023-03-08
Title
CformsII <15.0.4 - Settings Update via CSRF
Published
2025-07-30
Title
oik < 4.15.3 - Cross-Site Request Forgery
Published
2025-06-05
Title
Advanced Post List <= 0.5.6.2 - Cross-Site Request Forgery
Published
2025-01-03
Title
WP Social AutoConnect < 4.6.3 - Cross-Site Request Forgery to Reflected Cross-Site Scripting