WordPress Plugin Vulnerabilities

GMAce <= 1.5.2 - Arbitrary File Creation/Deletion/Update via CSRF

Description

The plugin does not have CSRF checks in the gmace_manager_server() function, which could allow attackers to make logged in admins create, delete and update arbitrary files via a CSRF attack

Affects Plugins

Plugin icon
gmace
No known fix

References

CVE
CVE-2023-1509
CVE
CVE-2023-23861

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Lana Codes, Mika
Verified
Yes
WPVDB ID
b16673b2-cc15-45c8-b43e-15128795b02e

Timeline

Publicly Published
2023-03-29 (about 3 years ago)
Added
2023-03-29 (about 3 years ago)
Last Updated
2023-03-30 (about 3 years ago)

Other

Published
Title
Published
2025-04-24
Title
Related Posts via Taxonomies <= 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-06-27
Title
Navayan Subscribe <= 1.13 - Cross-Site Request Forgery
Published
2022-06-15
Title
Sharebar <= 1.4.1 - Arbitrary Settings Update to Stored XSS via CSRF
Published
2025-10-10
Title
Web Accessibility By accessiBe < 2.11 - Cross-Site Request Forgery
Published
2024-03-12
Title
Easy Social Feed < 6.5.5 - Cross-Site Request Forgery