Awesome Support < 6.1.5 – Cross-Site Request Forgery via wpas_edit_reply_ajax() | CVE 2023-48323 | Plugin Vulnerabilities

Description

The Awesome Support plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.1.4. This is due to missing or incorrect nonce validation on the wpas_edit_reply_ajax() function. This makes it possible for unauthenticated attackers to edit replies via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

awesome-support

Fixed in 6.1.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/579b887a-4140-4e12-9a9a-ba52d212b8a2

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

thiennv

Verified

No

WPVDB ID

af8e0061-3113-4ee3-af36-72b21fbe58ed

Timeline

Publicly Published

2023-11-23 (about 2 years ago)

Added

2023-11-28 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2023-01-02

Title

Booster for WooCommerce - Multiple CSRF

Published

2024-01-12

Title

InstaWP Connect < 0.1.0.9 - Cross-Site Request Forgery via create_file_db_manager

Published

2025-12-03

Title

Business Directory < 6.4.20 - Cross-Site Request Forgery

Published

2023-08-16

Title

WooCommerce PDF Invoice Builder < 1.2.91 - Invoice Fields Creation via CSRF

Published

2024-11-13

Title

Disable Admin Notices individually < 1.4.1 - Cross-Site Request Forgery