WordPress Plugin Vulnerabilities

Better Click to Tweet < 5.10.4 - Settings Update via CSRF

Description

The plugin lacks CSRF protection when updating the bctt-twitter-handle option, allowing an attacker to change the plugin settings by tricking a logged in admin to submit a form.

Proof of Concept

Affects Plugins

Plugin icon
better-click-to-tweet
Fixed in 5.10.4

References

CVE
CVE-2022-45839
URL
https://fosstodon.org/@BenUNC/109396612719157334

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Submitter
Ben Meredith
Submitter website
https://www.betterclicktotweet.com
Verified
Yes
WPVDB ID
c6e43d88-ec01-4385-bf58-64f9bfe19490

Timeline

Publicly Published
2022-11-28 (about 3 years ago)
Added
2022-12-07 (about 3 years ago)
Last Updated
2022-12-07 (about 3 years ago)

Other

Published
Title
Published
2017-01-11
Title
WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)
Published
2024-04-10
Title
WordPress Hosting Benchmark tool < 1.3.7 - Cross-Site Request Forgery via execute_plugin()
Published
2025-05-07
Title
Sidebar Manager Light <= 1.18 - Cross-Site Request Forgery
Published
2023-10-16
Title
HTML5 Maps < 1.7.1.5 - Arbitrary Settings Update via CSRF
Published
2025-07-03
Title
yContributors <= 0.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting