WordPress Plugin Vulnerabilities

Rencontre <= 3.2.2 - Multiple CSRF

Description

The plugins is affected by multiple CSRF issues, allowing arbitrary changes of the plugin's settings.

November 3rd, 2019 - WordPress Plugin Team Notified
November 5th, 2019 - WP Plugins Team acknowledgments of the issue.
December 2nd, 2019 - v3.2.2 released, none of the CSRF have been fixed as the nonces have only been set in AJAX actions.
December 8th, 2019 - WP Plugins Team notified again
December 10th, 2019 - Plugin closed for review
December 11th, 2019 - v3.2.3 Released, fixing the issues
December 22nd, Plugin re-opened

Proof of Concept

Affects Plugins

Plugin icon
rencontre
Fixed in 3.2.3

References

URL
https://plugins.trac.wordpress.org/changeset?new=2215566%40rencontre&old=2209198%40rencontre

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Verified
No
WPVDB ID
8028449b-7d10-4780-85d5-0ec09f0ab124

Timeline

Publicly Published
2019-12-22 (about 6 years ago)
Added
2019-12-22 (about 6 years ago)
Last Updated
2019-12-22 (about 6 years ago)

Other

Published
Title
Published
2024-10-11
Title
ImagePress – Image Gallery < 1.3.0 - Cross-Site Request Forgery to Plugin Settings Update
Published
2022-10-30
Title
Appointment Booking Calendar < 1.3.70 - Feedback Submission via CSRF
Published
2025-07-30
Title
YITH WooCommerce Popup < 1.48.1 - Cross-Site Request Forgery
Published
2021-06-21
Title
Staff Directory < 4.0 - Cross-Site Request Forgery (CSRF)
Published
2025-01-16
Title
Kapost < 2.3.0 - Stored XSS via CSRF