Thrive Automator < 1.17.1 – Cross-Site Request Forgery | CVE 2023-51531 | Plugin Vulnerabilities

Description

The Thrive Automator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.17. This is due to missing or incorrect nonce validation on the factory_reset function. This makes it possible for unauthenticated attackers to reset plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

thrive-automator

Fixed in 1.17.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/4d5b1a3d-ce7f-4d5d-b72b-61024d5c5378

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Brandon James Roldan (tomorrowisnew)

Verified

No

WPVDB ID

c5d26daf-7df1-4241-b2be-9d06049e330a

Timeline

Publicly Published

2023-12-27 (about 2 years ago)

Added

2024-01-05 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2024-04-25

Title

Newsletter Popup <= 1.2 - Subscriber Deletion via CSRF

Published

2024-06-21

Title

Falang multilanguage < 1.3.52 - Cross-Site Request Forgery

Published

2023-10-19

Title

AI ChatBot < 4.9.3 - Cross-Site Request Forgery (CSRF)

Published

2024-02-05

Title

Contact Form 7 Connector < 1.2.3 - Cross-Site Request Forgery

Published

2023-04-06

Title

PHP Compatibility Checker < 1.6.0 - Cross-Site Request Forgery