WordPress Plugin Vulnerabilities

Libro de Reclamaciones y Quejas <= 1.0 - Stored XSS via CSRF

Description

The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
libro-de-reclamaciones-y-quejas
No known fix

References

CVE
CVE-2025-32113
URL
https://patchstack.com/database/wordpress/plugin/libro-de-reclamaciones-y-quejas/vulnerability/wordpress-libro-de-reclamaciones-y-quejas-plugin-0-9-csrf-to-stored-xss-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
7.1 (high)

Miscellaneous

Original Researcher
SOPROBRO
Verified
No
WPVDB ID
b0cf1823-484a-482f-ad36-c0ca3fe24813

Timeline

Publicly Published
2025-04-04 (about 1 year ago)
Added
2025-04-08 (about 1 year ago)
Last Updated
2025-06-04 (about 11 months ago)

Other

Published
Title
Published
2026-03-10
Title
LatePoint – Calendar Booking Plugin for Appointments and Events < 5.2.8 - Cross-Site Request Forgery in Booking Form Settings Update to Stored Cross-Site Scripting
Published
2023-09-28
Title
Events Rich Snippets for Google <= 1.8 - Cross-Site Request Forgery to Arbitrary Options Update
Published
2025-02-24
Title
Bulk Content Creator <= 1.2.1 - Cross-Site Request Forgery
Published
2023-05-22
Title
BEAR < 1.1.3.2 - Cross-Site Request Forgery (CSRF)
Published
2025-10-24
Title
Advanced Database Cleaner < 3.1.7 - Settings Manipulation via CSRF