WordPress Plugin Vulnerabilities

Remove Footer Credit < 1.0.6 - CSRF to Stored Cross-Site Scripting

Description

The plugin does not have CSRF check in place when saving its settings, which could allow attacker to make logged in admins change them and lead to Stored XSS issue as well due to the lack of sanitisation

Notes:
- v1.0.6 fixed the CSRF, however sanitisation only removed script tags, leading to an Authenticated Stored XSS issue, a separate advisory has been created for it

Proof of Concept

Affects Plugins

Plugin icon
remove-footer-credit
Fixed in 1.0.6

References

CVE
CVE-2021-24446

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
7.1 (high)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
be55131b-d9f2-4ac1-b667-c544c066887f

Timeline

Publicly Published
2021-07-12 (about 4 years ago)
Added
2022-01-11 (about 3 years ago)
Last Updated
2022-04-12 (about 3 years ago)

Other

Published
Title
Published
2025-01-16
Title
Rename Author Slug <= 1.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-03-27
Title
3DPrint Lite < 2.1.3.6 - Cross-Site Request Forgery
Published
2025-02-03
Title
Custom Links On Admin Dashboard Toolbar <= 3.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2021-08-18
Title
Jock on air now < 5.6.2 - Arbitrary Plugin's Settings Update via CSRF
Published
2022-09-29
Title
AdminPad < 2.2 - Note Update via CSRF