WordPress Plugin Vulnerabilities

Image Hover Effects < 5.6 - Caption Settings Update via CSRF

Description

The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the save_caption_options() function. This makes it possible for unauthenticated attackers to modify the caption options via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
image-hover-effects
Fixed in 5.6

References

CVE
CVE-2023-47552
URL
https://patchstack.com/database/vulnerability/image-hover-effects/wordpress-image-hover-effects-plugin-5-5-cross-site-request-forgery-csrf-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
9a2be639-2e13-406f-b718-ad10902df912

Timeline

Publicly Published
2023-11-07 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-05-08 (about 2 years ago)

Other

Published
Title
Published
2025-07-01
Title
Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.89 - Cross-Site Request Forgery to PHP Code Injection in bsaCreateAdTemplate
Published
2025-03-11
Title
Custom Dashboard Page <= 1.0 - Cross-Site Request Forgery
Published
2018-03-29
Title
WP Image Zoom <= 1.23 - Cross-Site Request Forgery (CSRF)
Published
2025-12-19
Title
WP DB Booster <= 1.0.1 - Cross-Site Request Forgery to Database Cleanup
Published
2024-08-05
Title
Shield Security < 20.0.6 - Reflected XSS