WordPress Plugin Vulnerabilities

Creative Mail < 1.6.0 - Multiple CSRF

Description

The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks, such as enable disable contact sync, reset the plugin, unlink accounts and update email marketing settings

Affects Plugins

Plugin icon
creative-mail-by-constant-contact
Fixed in 1.6.0

References

CVE
CVE-2022-44740

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Vlad Vector
Verified
No
WPVDB ID
76e44e73-ab85-42a6-9dae-495763d02859

Timeline

Publicly Published
2022-10-28 (about 3 years ago)
Added
2022-11-19 (about 3 years ago)
Last Updated
2022-11-19 (about 3 years ago)

Other

Published
Title
Published
2014-08-27
Title
Quick Post Widget 1.9.1 - Multiple Function CSRF
Published
2023-04-12
Title
ChatBot < 4.4.5 - Stored XSS via CSRF
Published
2025-09-22
Title
Advanced Appointment Booking & Scheduling <= 1.9 - Cross-Site Request Forgery
Published
2024-10-18
Title
EventON PRO - WordPress Virtual Event Calendar Plugin < 4.7 - Cross-Site Request Forgery via admin_test_email
Published
2015-04-02
Title
WP Easy Slideshow <= 1.0.3 - Multiple Cross-Site Request Forgery (CSRF)