WordPress Plugin Vulnerabilities

Mobile Browser Color Select <= 1.0.1 - Stored Cross-Site Scripting via CSRF

Description

The plugin is lacking CSRF check in its admin_update_data() function, which could allow attackers to make a logged in admin call it, and perform Stored Cross-Site Scripting attacks due to the lack of sanitisation and escaping in the processed user input

Affects Plugins

Plugin icon
mobile-browser-color-select
No known fix

References

CVE
CVE-2022-1969

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Tsubasa Imaizumi (Cryptography Laboratory in Tokyo Denki University)
Verified
Yes
WPVDB ID
84c3f0c5-4c64-49bd-ae4b-b73dbf1302e5

Timeline

Publicly Published
2022-06-01 (about 3 years ago)
Added
2022-06-01 (about 3 years ago)
Last Updated
2023-03-02 (about 3 years ago)

Other

Published
Title
Published
2025-06-27
Title
WP GDPR Cookie Consent <= 1.0.0 - Cross-Site Request Forgery
Published
2025-05-07
Title
워드프레스 결제 심플페이 < 5.3.3 - Cross-Site Request Forgery
Published
2024-05-29
Title
WP To Do <= 1.3.0 - Cross-Site Request Forgery via wptodo_manage()
Published
2026-01-30
Title
Popup Box < 6.1.2 - Cross-Site Request Forgery to Popup Status Change
Published
2024-11-01
Title
Naver Blog <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting