WordPress Plugin Vulnerabilities

WP Security Question <= 1.0.5 - Cross-Site Request Forgery

Description

The plugin does not protect its save function against CSRF attacks, allowing an unauthenticated attacker to modify the plugins settings on their behalf by tricking a logged in administrator to submit a crafted request.

Affects Plugins

Plugin icon
wp-security-questions
No known fix

References

CVE
CVE-2021-4386
URL
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Jerome Bruandet
Verified
No
WPVDB ID
7ebd87b8-d019-4ab9-b0a2-5de5d5fc4e55

Timeline

Publicly Published
2021-08-16 (about 4 years ago)
Added
2023-07-03 (about 2 years ago)
Last Updated
2023-07-03 (about 2 years ago)

Other

Published
Title
Published
2020-09-06
Title
ActiveCampaign < 8.0.2 - Cross-Site Request Forgery in Settings
Published
2024-05-14
Title
Integration for Contact Form 7 HubSpot <=1.3.1 - Cross-Site Request Forgery
Published
2019-06-03
Title
WP Google Maps <= 7.11.27 - Admin Settings CSRF
Published
2025-01-27
Title
Dynamic URL SEO < 1.2 - Cross-Site Request Forgery
Published
2025-03-28
Title
OmniLeads Scripts and Tags Manager <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting