WordPress Plugin Vulnerabilities

Store Locator <= 3.98.7 - Settings Update via CSRF

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Affects Plugins

Plugin icon
store-locator
Fixed in 3.98.8

References

CVE
CVE-2022-47446

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
rezaduty
Verified
No
WPVDB ID
a2fb654f-33a4-44ea-a1a4-40cb4eefbbfc

Timeline

Publicly Published
2023-05-24 (about 2 years ago)
Added
2023-05-24 (about 2 years ago)
Last Updated
2023-05-24 (about 2 years ago)

Other

Published
Title
Published
2024-08-19
Title
AZIndex <= 0.8.1 - Stored XSS via CSRF
Published
2024-04-10
Title
Ultimate Product Catalogue < 5.2.16 - Cross-Site Request Forgery via reset_settings()
Published
2026-01-06
Title
teachPress <= 9.0.12 - Cross-Site Request Forgery
Published
2023-10-17
Title
WP Radio <= 3.1.9 - CSRF
Published
2023-05-24
Title
Easy Google Maps < 1.11.8 - Cross-Site Request Forgery (CSRF)