Buy Me a Coffee – Button and Widget Plugin < 3.8 – Cross-Site Request Forgery | CVE 2023-2079 | Plugin Vulnerabilities

Description

The plugin does not properly validate nonces in several functions, including recieve_post, bmc_disconnect, name_post, and widget_post. This lack of validation can lead to Cross-Site Request Forgery, allowing unauthenticated individuals to modify the plugin's settings by deceiving the site's administrator into interacting with a malicious link.

Affects Plugins

Fixed in 3.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/6309258e-e4fc-4edf-a771-2d82a9a85a5c

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Verified

No

WPVDB ID

77afaffc-448e-4356-8a10-91b991cdfb96

Timeline

Publicly Published

2023-07-10 (about 2 years ago)

Added

2023-07-11 (about 2 years ago)

Last Updated

2023-07-11 (about 2 years ago)

Other

Published

Title

Published

2014-08-01

Title

Ultimate Auction 1.0 - Cross-Site Request Forgery (CSRF)

Published

2021-04-22

Title

Multiple WP-Buy Plugins - Arbitrary Plugin Installation/Activation via CSRF

Published

2021-08-10

Title

MWB Point of Sale (POS) for WooCommerce < 1.0.1 - CSRF Bypass / Unauthorised AJAX Call

Published

2023-11-15

Title

Elementor Addon Elements < 1.12.8 - Elementor Addon Element Enabling/Disabling via CSRF

Published

2024-02-23

Title

KODO Qiniu < 1.5.1 - Cross-Site Request Forgery