WordPress Plugin Vulnerabilities

Elementor Contact Form DB < 1.6 - Plugin Settings Cross-Site Request Forgery

Description

The plugin lacked CSRF nonces, which could allow attackers to make logged in administrators perform unwanted actions, such as change the plugin's settings via a CSRF attack.

Affects Plugins

Plugin icon
sb-elementor-contact-form-db
Fixed in 1.6

References

CVE
CVE-2021-3133
URL
https://plugins.trac.wordpress.org/changeset/2454670/

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.2 (medium)

Miscellaneous

Verified
No
WPVDB ID
b0943159-d164-4a5b-88bc-e0ada28beb32

Timeline

Publicly Published
2021-01-13 (about 3 years ago)
Added
2021-01-13 (about 3 years ago)
Last Updated
2021-01-15 (about 3 years ago)

Other

Published
Title
Published
2023-02-28
Title
Stripe Payments For WooCommerce by Checkout < 1.4.11 - Settings Update via CSRF
Published
2022-11-28
Title
Manage Notification E-mails < 1.8.3 - Settings Reset via CSRF
Published
2023-12-22
Title
Anti Hacker < 4.35 - Cross-Site Request Forgery via antihacker_ajax_scan
Published
2023-10-12
Title
Contact Form With Captcha <= 1.6.8 - Cross-Site Request Forgery
Published
2022-06-01
Title
My Private Site < 3.0.8 - Arbitrary Settings Update via CSRF