WordPress Plugin Vulnerabilities

Publish Confirm Message < 2.0 - Settings Update via CSRF

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Affects Plugins

Plugin icon
publish-confirm-message
Fixed in 2.0

References

CVE
CVE-2023-32124
URL
https://patchstack.com/database/vulnerability/publish-confirm-message/wordpress-publish-confirm-message-plugin-1-3-1-cross-site-request-forgery-csrf-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Taihei Shimamine
Verified
No
WPVDB ID
b96650c8-b85c-4bd6-bac4-9a851943737a

Timeline

Publicly Published
2023-10-03 (about 2 years ago)
Added
2023-10-13 (about 2 years ago)
Last Updated
2024-01-10 (about 2 years ago)

Other

Published
Title
Published
2024-08-19
Title
Snapshot Backup <= 2.1.1 - Stored XSS via CSRF
Published
2025-06-27
Title
Slickstream < 3.0.0 - Cross-Site Request Forgery
Published
2022-05-11
Title
Database Backup for WordPress < 2.5.2 - Arbitrary Schedule Settings Update via CSRF
Published
2021-05-05
Title
Ship To Ecourier < 1.0.2 - Plugin's Settings Update via CSRF
Published
2025-10-13
Title
Simple Stripe <= 0.9.17 - Cross-Site Request Forgery