WordPress Plugin Vulnerabilities

Contact Form and Calls To Action by vcita <= 2.7.1 - Settings Update Via CSRF

Description

The plugin does not protect its settings page against CSRF attacks, allowing an unauthenticated attacker to change the plugin's settings, and on older versions (<= 2.6.4), inject arbitrary web-scripts, by tricking a logged in user with the contributor role or higher to click a link.

Proof of Concept

Affects Plugins

Plugin icon
lead-capturing-call-to-actions-by-vcita
No known fix

References

CVE
CVE-2023-2303
URL
https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita
URL
https://plugins.trac.wordpress.org/browser/lead-capturing-call-to-actions-by-vcita/trunk/vcita-callback.php

Miscellaneous

Original Researcher
Jonas Höbenreich
Verified
No
WPVDB ID
aaa589a1-2ce6-4d1a-9fac-bc16272a0aab

Timeline

Publicly Published
2023-06-02 (about 2 years ago)
Added
2023-06-04 (about 2 years ago)
Last Updated
2023-07-04 (about 2 years ago)

Other

Published
Title
Published
2023-04-25
Title
WordPress Vertical Image Slider < 1.2.17 - Reflected Cross-Site Scripting
Published
2014-08-01
Title
Modular 2.4 - dl-skin.php _mysite_delete_skin_zip Parameter Absolute Path Traversal Remote Directory Deletion
Published
2016-01-07
Title
WP Symposium Pro < 16.01 - Unspecified
Published
2014-08-01
Title
Page Layout Builder 1.3.4 - Unspecified Issue
Published
2026-01-16
Title
Spin Wheel < 2.1.1 - Unauthenticated Client-Side Prize Manipulation