WordPress Plugin Vulnerabilities

Maspik – Spam blacklist < 2.2.8 - Cross-Site Request Forgery to Plugin Settings Change

Description

The Maspik – Advanced Spam Protection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.7. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to change plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
contact-forms-anti-spam
Fixed in 2.2.8

References

CVE
CVE-2024-53806
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5802226f-95f0-4c79-b434-0f74c1f47f1a

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Mika
Verified
No
WPVDB ID
c0714ce6-06e5-4dc2-ba2e-423e34be102f

Timeline

Publicly Published
2024-12-02 (about 1 year ago)
Added
2024-12-11 (about 1 year ago)
Last Updated
2024-12-11 (about 1 year ago)

Other

Published
Title
Published
2025-01-03
Title
Wizhi Multi Filters by Wenprise <= 1.8.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2026-02-08
Title
Photo Gallery by 10Web < 1.8.38 - Cross-Site Request Forgery
Published
2025-04-25
Title
wp-cyr-cho <= 0.1 - Cross-Site Request Forgery
Published
2023-11-15
Title
Disable User Login < 1.3.9 - User Login Toggle via CSRF
Published
2020-09-16
Title
Coupon Creator < 3.1.1 - Arbitrary Settings Update via CSRF