WordPress Plugin Vulnerabilities

LWS Hide Login < 2.1.7 - Plugin Settings Page Creation via CSRF

Description

The plugin does not have CSRF checks in its lws_hl_create_page() and lws_hl_create_page_network() functions, which could allow attackers to make logged in admins create the plugin settings pages via CSRF attacks

Affects Plugins

Plugin icon
lws-hide-login
Fixed in 2.1.7

References

CVE
CVE-2023-34025

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
konagash
Verified
No
WPVDB ID
8329ea6f-aa2f-496f-a201-140ced4d597a

Timeline

Publicly Published
2023-05-23 (about 2 years ago)
Added
2023-11-14 (about 2 years ago)
Last Updated
2023-11-14 (about 2 years ago)

Other

Published
Title
Published
2015-07-14
Title
BuddyPress Activity Plus < 1.6.2 - Cross-Site Request Forgery (CSRF)
Published
2023-10-22
Title
Smooth Scroll Links <= 1.1.0 - Arbitrary Settings Update via CSRF
Published
2025-01-16
Title
Wp-Scribd-List <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-09-05
Title
Custom WooCommerce Checkout Fields Editor <= 1.3.4 - Cross-Site Request Forgery
Published
2025-05-07
Title
PW WooCommerce Bulk Edit < 2.135 - Cross-Site Request Forgery