WordPress Plugin Vulnerabilities

Thumbnail carousel slider < 1.0.1 - Cross-Site Request Forgery to Mass Slider Deletion

Description

The Thumbnail carousel slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing nonce validation on the deleteselected function. This makes it possible for unauthenticated attackers to delete sliders in bulk via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
wp-responsive-thumbnail-slider
Fixed in 1.0.1

References

CVE
CVE-2023-5821
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/bde75c5a-b0b7-4f26-91e9-dd4816e276c9

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Ala Arfaoui
Verified
No
WPVDB ID
92bfa009-ba3c-4eed-af79-bd491134a95e

Timeline

Publicly Published
2023-10-26 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2025-06-05
Title
Elite Video Player <= 10.0.5 - Cross-Site Request Forgery
Published
2021-08-10
Title
MWB Point of Sale (POS) for WooCommerce < 1.0.1 - CSRF Bypass / Unauthorised AJAX Call
Published
2023-02-06
Title
A2 Optimized WP < 3.0.5 - Data Collection Toggle via CSRF
Published
2025-06-27
Title
WooCommerce PDF Invoice Builder < 1.2.149 - Cross-Site Request Forgery
Published
2026-02-02
Title
Mail Mint < 1.19.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting