WordPress Plugin Vulnerabilities

ARI Stream Quiz < 1.3.0 - Cross-Site Request Forgery

Description

The ARI Stream Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.32. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to perform unauthorized actions against classes and quizzes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
ari-stream-quiz
Fixed in 1.3.0

References

CVE
CVE-2023-51487
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/45180c8e-0625-4a21-b3a1-673abe52d78f

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Nguyen Xuan Chien
Verified
No
WPVDB ID
a45e52e0-80b0-4732-972d-a379eda69e7f

Timeline

Publicly Published
2023-12-27 (about 2 years ago)
Added
2024-01-05 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2024-12-11
Title
Avada < 7.11.11 - Cross-Site Request Forgery
Published
2024-02-05
Title
Contest Gallery < 21.2.9 - Cross-Site Request Forgery
Published
2023-03-02
Title
WpStream < 4.4.10.6 - Settings Update via CSRF
Published
2026-01-06
Title
teachPress < 9.0.13 - Cross-Site Request Forgery
Published
2023-12-05
Title
1 click disable all < 1.0.2 - Plugins Deactivation via CSRF