WordPress Plugin Vulnerabilities

Cimy Header Image Rotator <= 6.1.1 - Arbitrary Settings Update via CSRF

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
cimy-header-image-rotator
No known fix

References

CVE
CVE-2022-1885

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
8416cbcf-086d-42ff-b2a4-f3954c8ff0c8

Timeline

Publicly Published
2022-06-01 (about 3 years ago)
Added
2022-06-01 (about 3 years ago)
Last Updated
2023-03-02 (about 2 years ago)

Other

Published
Title
Published
2025-09-22
Title
Nokri <= 1.6.4 - Cross-Site Request Forgery
Published
2023-12-26
Title
Customize My Account for WooCommerce < 1.8.4 - Cross-Site Request Forgery via restore_my_account_tabs
Published
2023-06-03
Title
WPC Smart Wishlist for WooCommerce < 4.7.2 - Add/Remove Wishlist Items via CSRF
Published
2023-10-03
Title
Category Meta <= 1.2.8 - CSRF
Published
2024-12-14
Title
Flash News / Post (Responsive) <= 4.1 - Cross-Site Request Forgery to Privilege Escalation