Elementor Contact Form DB < 1.6 - Plugin Settings Cross-Site Request Forgery

Description

The plugin lacked CSRF nonces, which could allow attackers to make logged in administrators perform unwanted actions, such as change the plugin's settings via a CSRF attack.

Affects Plugins

sb-elementor-contact-form-db

Fixed in version 1.6✓

References

CVE

CVE-2021-3133

URL

https://plugins.trac.wordpress.org/changeset/2454670/

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-352

Miscellaneous

Verified

WPVDB ID

b0943159-d164-4a5b-88bc-e0ada28beb32

Timeline

Publicly Published

2021-01-13 (about 3 months ago)

Added

2021-01-13 (about 3 months ago)

Last Updated

2021-01-15 (about 3 months ago)

Our Other Services

WPScan WordPress Security Plugin