WordPress Plugin Vulnerabilities

Push Notifications for WordPress (Lite) < 6.0.1 - Settings Update via CSRF

Description

The plugin is lacking CSRF checks in some of its function, for example when saving its settings, which could allow attackers to make a logged in admin change them

Affects Plugins

Plugin icon
push-notifications-for-wp
Fixed in 6.0.1

References

CVE
CVE-2021-20846
URL
https://jvn.jp/en/jp/JVN85492429/

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Ten Katouno
Verified
Yes
WPVDB ID
a9f1a99e-a29f-4b13-822c-05097f2eba1d

Timeline

Publicly Published
2021-11-16 (about 4 years ago)
Added
2021-11-16 (about 4 years ago)
Last Updated
2022-04-08 (about 4 years ago)

Other

Published
Title
Published
2024-05-14
Title
Integration for Contact Form 7 HubSpot <=1.3.1 - Cross-Site Request Forgery
Published
2023-09-29
Title
Contact Form < 2.0.12 - Form Styling Update via CSRF
Published
2024-08-30
Title
Carousel Slider < 2.2.4 - Cross-Site Request Forgery
Published
2025-08-20
Title
Sign-up Sheets < 2.3.3.1 - Cross-Site Request Forgery
Published
2025-04-01
Title
Append Content <= 2.1.1 - Cross-Site Request Forgery to Settings Update