WordPress Plugin Vulnerabilities

LinkWorth Plugin < 3.3.4 - Arbitrary Setting Update via CSRF

Description

The plugin does not implement nonce checks, which could allow attackers to make a logged in admin change settings via a CSRF attack.

Proof of Concept

Affects Plugins

Plugin icon
linkworth-wp-plugin
Fixed in 3.3.4

References

CVE
CVE-2022-2172
URL
https://plugins.trac.wordpress.org/changeset?new=2754739%40linkworth-wp-plugin&old=2750802%40linkworth-wp-plugin#file8

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
bfb6ed12-ae64-4075-9d0b-5620e998df74

Timeline

Publicly Published
2022-08-01 (about 3 years ago)
Added
2022-08-01 (about 3 years ago)
Last Updated
2023-04-29 (about 2 years ago)

Other

Published
Title
Published
2024-10-14
Title
Wsify Widget <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-09-10
Title
PhpList Subber <= 1.1 - Cross-Site Request Forgery
Published
2023-07-17
Title
vSlider Multi Image Slider for WordPress <= 4.1.2 - Cross-Site Request Forgery
Published
2025-04-09
Title
Interactive US Map <= 2.7 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-09-26
Title
Lenix scss compiler <= 1.2 - Cross-Site Request Forgery