WordPress Plugin Vulnerabilities

Page Builder by AZEXO <= 1.27.133 - Cross-Site Request Forgery (CSRF) to Stored XSS

Description

The plugin does not protect the ajax actions azh_save against CSRF attacks, allowing an unauthenticated attacker to modify posts by tricking a logged in user with rights to edit the post to submit a crafted request. Furthermore if the targeted user has a role of editor or above, arbitrary web scripts can be injected into the updated post, leading to a stored cross-site scripting vulnerability.

Affects Plugins

Plugin icon
page-builder-by-azexo
No known fix

References

CVE
CVE-2023-3055
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/page-builder-by-azexo/page-builder-by-azexo-127133-cross-site-request-forgery-to-stored-cross-site-scripting-via-azh-save

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
97f8176d-75e6-4c6f-93ff-55cd69c75832

Timeline

Publicly Published
2023-06-02 (about 2 years ago)
Added
2023-06-03 (about 2 years ago)
Last Updated
2023-06-03 (about 2 years ago)

Other

Published
Title
Published
2023-01-27
Title
Booking calendar, Appointment Booking System < 3.2.4 - Form Creation/Update/Deletion/Duplication via CSRF
Published
2024-12-12
Title
Youtube Video Grid <= 1.9 - Cross-Site Request Forgery
Published
2019-01-08
Title
MapSVG Lite < 3.3.0 - Cross-Site Request Forgery (CSRF)
Published
2025-03-24
Title
WordPress SQL Backup <= 3.5.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2026-03-03
Title
WooCommerce < 10.5.3 - Arbitrary Admin User Creation via CSRF