LadiApp <= 4.4 – Cross-Site Request Forgery via ladiflow_save_hook() | CVE 2023-4628 | Plugin Vulnerabilities

Description

The LadiApp plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the ladiflow_save_hook() function in versions up to, and including, 4.4. This makes it possible for unauthenticated attackers to update the 'ladiflow_hook_configs' option via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0be418fa-f1cf-4aaf-bc94-c8e04186a54b

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

GiongfNef

Verified

No

WPVDB ID

b994011d-8db2-4ee3-970e-c572928281ed

Timeline

Publicly Published

2024-03-11 (about 2 years ago)

Added

2024-03-11 (about 2 years ago)

Last Updated

2024-03-11 (about 2 years ago)

Other

Published

Title

Published

2026-02-13

Title

SEATT: Simple Event Attendance <= 1.5.0 - Cross-Site Request Forgery to Arbitrary Event Deletion

Published

2023-07-17

Title

WP Reroute Email < 1.4.8 - Cross-Site Request Forgery

Published

2023-07-26

Title

Optimize Database after Deleting Revisions < 5.1.1 - Database Optimization via CSRF

Published

2024-05-29

Title

WP To Do <= 1.3.0 - Cross-Site Request Forgery via wptodo_addcomment

Published

2025-09-22

Title

Fastly < 1.2.29 - Cross-Site Request Forgery