WordPress Plugin Vulnerabilities

GS Logo Slider < 3.7.1 - Settings Update via Cross-Site Request Forgery

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
gs-logo-slider
Fixed in 3.7.1

References

CVE
CVE-2024-9233
URL
https://research.cleantalk.org/cve-2024-9233/
YouTube Video

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Submitter
Dmitrii Ignatyev
Submitter website
https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/
Verified
Yes
WPVDB ID
a466cea4-0ae5-44a1-9e12-bd5dbecde2f2

Timeline

Publicly Published
2024-08-29 (about 1 year ago)
Added
2024-10-03 (about 1 year ago)
Last Updated
2024-10-03 (about 1 year ago)

Other

Published
Title
Published
2024-05-24
Title
AZAN Plugin <= 0.6 - Stored XSS via CSRF
Published
2021-07-06
Title
WPCS < 1.1.7 - Arbitrary Plugin's Settings Change via CSRF
Published
2025-01-16
Title
Floatbox Plus <= 1.4.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-01-06
Title
MyBookTable Bookstore < 3.5.4 - Cross-Site Request Forgery
Published
2024-02-07
Title
Royal Elementor Addons and Templates < 1.3.88 - Missing Authorization via wpr_update_form_action_meta