WordPress Plugin Vulnerabilities

WordPress Users <= 1.4 - Settings Update via CSRF

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.

Proof of Concept

Affects Plugins

Plugin icon
wordpress-users
No known fix

References

CVE
CVE-2023-6390
URL
https://magos-securitas.com/txt/2023-6390.txt

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://magos-securitas.com
Verified
Yes
WPVDB ID
a0ca68d3-f885-46c9-9f6b-b77ad387d25d

Timeline

Publicly Published
2024-01-03 (about 1 year ago)
Added
2024-01-03 (about 1 year ago)
Last Updated
2024-01-03 (about 1 year ago)

Other

Published
Title
Published
2022-09-23
Title
Kraken.io Image Optimizer < 2.6.6 - Settings Update via CSRF
Published
2023-07-17
Title
WooCommerce Ship to Multiple Addresses < 3.8.6 - Cross-Site Request Forgery
Published
2022-09-30
Title
OSM < 6.0.3 - CSRF
Published
2014-08-01
Title
ShareThis 7.0.3 - Setting Manipulation CSRF
Published
2025-10-14
Title
replyMail <= 1.2.0 - Cross-Site Request Forgery