WordPress Plugin Vulnerabilities

Custom Header Images <= 1.2.1 - Cross-Site Request Forgery

Description

The Custom Header Images plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to perform an unknown action granted they can trick a site administrator into performing an action such as clicking on a link. The impact of this vulnerability is unknown.

Affects Plugins

Plugin icon
custom-header-images
No known fix

References

CVE
CVE-2023-46636
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/0beaa7ce-40aa-429e-80fd-d04e75489b92

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Nguyen Xuan Chien
Verified
No
WPVDB ID
79c7cae2-b319-437b-8695-ef401ba08e44

Timeline

Publicly Published
2023-10-25 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2025-09-29
Title
Chat by Chatwee <= 2.1.3 - Cross-Site Request Forgery to Settings Update
Published
2024-04-11
Title
Popup Box < 2.2.7 - Popup Deletion via CSRF
Published
2023-10-17
Title
Stripe Gateway < 7.6.1 - Cross-Site Request Forgery
Published
2022-05-18
Title
Webriti SMTP Mail <= 1.0 - Arbitrary Settings Update via CSRF
Published
2023-10-24
Title
Quill Forms < 3.4.0 - Cross-Site Request Forgery