WordPress Plugin Vulnerabilities

Hreflang Manager < 1.07 - Cross-Site Request Forgery

Description

The plugin is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.06. This is due to missing nonce validation in the ~/admin/view/connections.php file. This makes it possible for unauthenticated attackers to modify, delete, and clone connections via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
hreflang-manager-lite
Fixed in 1.07

References

URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c357e34f-2d0f-4af4-bb67-cbbc6cd4e141

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Verified
No
WPVDB ID
ac5f809b-acfb-41ea-8e3a-7e95beb282ef

Timeline

Publicly Published
2023-11-14 (about 2 years ago)
Added
2024-01-17 (about 2 years ago)
Last Updated
2024-01-17 (about 2 years ago)

Other

Published
Title
Published
2025-03-27
Title
Serial Codes Generator and Validator with WooCommerce Support < 2.7.8 - Cross-Site Request Forgery via [placeholder]
Published
2025-06-05
Title
Print Invoice & Delivery Notes for WooCommerce < 5.6.0 - Cross-Site Request Forgery
Published
2025-06-05
Title
WP-Recall <= 16.26.14 - Cross-Site Request Forgery
Published
2025-06-05
Title
Wp Easy Allopass <= 4.1.1 - Cross-Site Request Forgery
Published
2025-06-05
Title
WP Security Master <= 1.0.2 - Cross-Site Request Forgery