Easy Call Now by ThikShare <= 1.1.0 – Cross-Site Request Forgery via settings_page | CVE 2023-47819 | Plugin Vulnerabilities

Description

The Easy Call Now by ThikShare plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.0. This is due to missing or incorrect nonce validation on the settings_page function. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/9bd8c4e5-ef53-47e8-8658-291509e9b987

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Nguyen Xuan Chien

Verified

No

WPVDB ID

a72329e6-502d-4414-9d23-53b3c21db3b2

Timeline

Publicly Published

2023-11-16 (about 2 years ago)

Added

2023-11-23 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2024-11-11

Title

W3SPEEDSTER < 7.27 - Cross-Site Request Forgery

Published

2014-08-01

Title

Twitget 3.3.1 - twitget.php Twitter Setting Manipulation CSRF

Published

2024-03-25

Title

Advance Search <= 1.1.6 - Shortcode Deletion via CSRF

Published

2019-07-17

Title

WP Code Highlight.js < 0.6.3 - CSRF to Stored XSS

Published

2025-10-10

Title

WidgetPack Comment System <= 1.6.1 - Cross-Site Request Forgery