WordPress Plugin Vulnerabilities

Block Update < 3.3.2 - Arbitrary Plugin Update Blocking via CSRF

Description

The plugin does not have CSRF check when blocking plugin from being updated, which could allow attackers to make logged in admins perform such actions via a CSRF attack

Affects Plugins

Plugin icon
block-specific-plugin-updates
Fixed in 3.3.2

References

CVE
CVE-2023-44261
URL
https://patchstack.com/database/vulnerability/block-specific-plugin-updates/wordpress-block-plugin-update-plugin-3-3-cross-site-request-forgery-csrf-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
93d43c67-7846-4f82-b384-f7f789e038a3

Timeline

Publicly Published
2023-09-27 (about 2 years ago)
Added
2023-10-10 (about 2 years ago)
Last Updated
2024-01-08 (about 2 years ago)

Other

Published
Title
Published
2023-10-16
Title
Feed Statistics <= 4.1 - Arbitrary Settings Update via CSRF
Published
2024-08-22
Title
MM-Breaking News <= 0.7.9 - Stored XSS via CSRF
Published
2025-03-27
Title
wpShopGermany IT-RECHT KANZLEI < 2.1 - Cross-Site Request Forgery
Published
2025-09-05
Title
WooCommerce Single Page Checkout <= 1.2.7 - Cross-Site Request Forgery
Published
2019-06-16
Title
WebP Express <= 0.14.10 - Multiple Issues