WordPress Plugin Vulnerabilities

POEditor < 0.9.8 - Settings Reset via CSRF

Description

The plugin does not have CSRF checks in various places, which could allow attackers to make logged in admins perform unwanted actions, such as reset the plugin's settings and update its API key via CSRF attacks.

Proof of Concept

Affects Plugins

Plugin icon
poeditor
Fixed in 0.9.8

References

CVE
CVE-2023-4209
URL
https://blog.cleantalk.org/cve-2023-4209-poeditor-0-9-8-settings-reset-via-csrf/

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Dmitrii
Submitter
Dmitrii
Submitter website
https://blog.cleantalk.org
Verified
Yes
WPVDB ID
b2c6fa7d-1b0f-444b-8ca5-8c1c06cea1d9

Timeline

Publicly Published
2023-08-07 (about 2 years ago)
Added
2023-08-07 (about 2 years ago)
Last Updated
2023-08-22 (about 2 years ago)

Other

Published
Title
Published
2024-06-26
Title
Super Testimonials <= 3.0.0 - Cross-Site Request Forgery
Published
2021-08-06
Title
WP Fusion Lite < 3.37.30 - CSRF to Data Deletion
Published
2026-01-27
Title
Recooty <= 1.0.6 - Cross-Site Request Forgery to Settings Update
Published
2023-11-21
Title
Perfmatters < 2.1.7 - Cross-Site Request Forgery
Published
2023-05-25
Title
Product Gallery Slider for WooCommerce < 2.2.9 - Cross-Site Request Forgery (CSRF)