WordPress Plugin Vulnerabilities

MyBookTable Bookstore < 3.3.5 - API Key Update via CSRF

Description

The plugin does not have CSRF check when updating its API key via the mbt_api_key_refresh_ajax() function, which could allow attackers to make logged in admins update it via a CSRF attack

Affects Plugins

Plugin icon
mybooktable
Fixed in 3.3.5

References

CVE
CVE-2023-48331
URL
https://patchstack.com/database/vulnerability/mybooktable/wordpress-mybooktable-bookstore-by-stormhill-media-plugin-3-3-3-cross-site-request-forgery-csrf-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Nguyen Xuan Chien
Verified
No
WPVDB ID
894c3e72-8715-4891-800c-7c2638fffcc5

Timeline

Publicly Published
2023-11-23 (about 2 years ago)
Added
2023-11-28 (about 2 years ago)
Last Updated
2023-12-14 (about 2 years ago)

Other

Published
Title
Published
2024-12-12
Title
Add image to Post <= 0.6 - Cross-Site Request Forgery
Published
2020-06-16
Title
Delete All Comments Easily <= 1.3 - All Comments Deletion via CSRF
Published
2025-12-11
Title
Secure Copy Content Protection and Content Locking < 4.9.3 - Cross-Site Request Forgery to Data Export
Published
2024-12-12
Title
Aphorismus <= 1.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-06-27
Title
Relocate Upload <= 0.24.1 - Cross-Site Request Forgery