WordPress Plugin Vulnerabilities

SIS Handball <= 1.0.45 - Settings Update via CSRF

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Affects Plugins

Plugin icon
sis-handball
No known fix

References

CVE
CVE-2023-41684

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Mika
Verified
No
WPVDB ID
902844d7-0d21-4e4a-b349-06caff302cf6

Timeline

Publicly Published
2023-09-04 (about 2 years ago)
Added
2023-10-12 (about 2 years ago)
Last Updated
2023-10-12 (about 2 years ago)

Other

Published
Title
Published
2026-01-23
Title
WP Youtube Video Gallery <= 1.0 - Cross-Site Request Forgery to Plugin Settings Update
Published
2025-05-16
Title
CSS3 Accordions for WordPress < 3.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2021-11-15
Title
WP Admin Logo Changer <= 1.0 - Plugin's Settings Update via CSRF
Published
2021-06-14
Title
Vik Rent Car < 1.1.7 - CSRF to Stored XSS
Published
2025-09-09
Title
WP Blast | SEO & Performance Booster < 1.8.7 - Cross-Site Request Forgery to Cache Clearing