WordPress Plugin Vulnerabilities

Gift Up < 2.22 - Settings Update via CSRF

Description

The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the consume_post function, allowing unauthenticated attackers to set the plugin's API key and update other plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
gift-up
Fixed in 2.22

References

CVE
CVE-2023-49744
URL
https://patchstack.com/database/vulnerability/gift-up/wordpress-gift-up-gift-cards-for-wordpress-and-woocommerce-plugin-2-21-3-cross-site-request-forgery-csrf-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Nguyen Xuan Chien
Verified
No
WPVDB ID
792cdd11-e8c1-46ab-8d4b-c4ac72185b0d

Timeline

Publicly Published
2023-12-04 (about 2 years ago)
Added
2023-12-09 (about 2 years ago)
Last Updated
2024-01-31 (about 2 years ago)

Other

Published
Title
Published
2021-06-30
Title
MZ Mindbody API < 2.8.3 - Unauthorised AJAX Calls
Published
2023-11-07
Title
Add Local Avatar <= 12.1 - Cross-Site Request Forgery via manage_avatar_cache
Published
2025-04-09
Title
FraudLabs Pro for WooCommerce < 2.22.9 - Stored XSS via CSRF
Published
2025-01-06
Title
PixelYourSite < 10.0.2 - Settings Update via CSRF
Published
2025-01-07
Title
Uptime Robot <= 0.1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting