WordPress Plugin Vulnerabilities

FreeMind WP Browser <= 1.2 - Stored Cross-Site Scripting via CSRF

Description

The plugin does not have CSRF check in place when updating its setting, and does not have sanitisation as well as escaping in some of them, which could allow attackers to make a logged in admin put a Cross-Site Scripting payload in them via CSRF attack

Affects Plugins

Plugin icon
freemind-wp-browser
No known fix

References

CVE
CVE-2022-2252

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Kenya Uematsu
Verified
Yes
WPVDB ID
827a80ee-6f5f-467c-ae89-fc8827f34d38

Timeline

Publicly Published
2022-07-05 (about 3 years ago)
Added
2022-07-05 (about 3 years ago)
Last Updated
2023-04-10 (about 3 years ago)

Other

Published
Title
Published
2024-12-06
Title
Poll Maker < 5.5.5 - Cross-Site Request Forgery to Poll Duplication
Published
2021-07-27
Title
uListing < 2.0.6 - Settings Update via CSRF
Published
2022-10-30
Title
Appointment Booking Calendar < 1.3.70 - Feedback Submission via CSRF
Published
2025-09-09
Title
Advanced Settings < 3.2.0 - Cross-Site Request Forgery
Published
2024-04-25
Title
Newsletter Popup <= 1.2 - List Deletion via CSRF