WordPress Plugin Vulnerabilities

Starter Templates <= 3.1.20 - Settings Update via CSRF

Description

The plugin does not have CSRF check when updating its settings, which could allow attackers to make logged-in admins to change the favorite template via a CSRF attack

Affects Plugins

Plugin icon
astra-sites
Fixed in 3.1.21

References

CVE
CVE-2022-46851

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Muhammad Daffa
Verified
No
WPVDB ID
9e06baec-abf5-4032-a1fe-f7a0f9b19187

Timeline

Publicly Published
2023-02-20 (about 3 years ago)
Added
2023-05-23 (about 2 years ago)
Last Updated
2023-05-23 (about 2 years ago)

Other

Published
Title
Published
2021-06-08
Title
WP Prayer < 1.6.7 - Arbitrary Plugin Settings Update via CSRF
Published
2026-01-15
Title
LEAV Last Email Address Validator <= 1.7.1 - Cross-Site Request Forgery to Plugin Settings Update
Published
2024-08-01
Title
WordPress Menu Plugin — Superfly Responsive Menu < 5.0.30 - Cross-Site Request Forgery to Arbitrary File Deletion
Published
2023-07-26
Title
WP Tell a Friend Popup Form <= 7.1 - Settings Update via CSRF
Published
2023-09-05
Title
SendPress Newsletters <= 1.26.1.20 - CSRF