WordPress Plugin Vulnerabilities

WP Private Content Plus < 3.2 - Cross-Site Request Forgery

Description

The plugin does not protect its save_groups function against CSRF attacks, allowing an unauthenticated attacker to add new group members on their behalf by tricking a logged in administrator to submit a crafted request.

Affects Plugins

Plugin icon
wp-private-content-plus
Fixed in 3.2

References

CVE
CVE-2021-4385
URL
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Jerome Bruandet
Verified
No
WPVDB ID
8cb7dfa3-1570-499f-93bb-18751d835868

Timeline

Publicly Published
2021-03-01 (about 5 years ago)
Added
2023-07-03 (about 2 years ago)
Last Updated
2024-03-12 (about 1 year ago)

Other

Published
Title
Published
2025-06-19
Title
WP Front User Submit / Front Editor <= 5.0.6 - Cross-Site Request Forgery
Published
2025-06-19
Title
Mailing Group Listserv <= 3.0.5 - Cross-Site Request Forgery
Published
2025-04-01
Title
Advanced Speed Increaser <= 2.2.1 - Cross-Site Request Forgery
Published
2022-06-16
Title
Comment License < 1.4.0 - Arbitrary Settings Update via CSRF
Published
2024-04-11
Title
WP Matterport Shortcode < 2.2.0 - Cross-Site Request Forgery