WordPress Plugin Vulnerabilities

Big File Uploads < 2.1.2 - Cross-Site Request Forgery via actions

Description

The Big File Uploads plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the actions function. This makes it possible for unauthenticated attackers to dismiss or delay admin notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
tuxedo-big-file-uploads
Fixed in 2.1.2

References

CVE
CVE-2023-47792
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/93b527a8-30c0-4e47-bb2b-522380b21699

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
c868ea53-4f65-439d-a421-0d559b55a295

Timeline

Publicly Published
2023-11-14 (about 2 years ago)
Added
2023-11-24 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2024-07-12
Title
i-transform <= 3.0.9 - Cross-Site Request Forgery
Published
2024-12-11
Title
AIKCT Engine Chatbot, ChatGPT, Gemini, GPT-4o Best AI Chatbot < 1.6.3 - Cross-Site Request Forgery via update_integration_option
Published
2014-08-01
Title
A Forms 1.4.0 - Form Submission CSRF
Published
2025-03-26
Title
Football Pool < 2.12.3 - Cross-Site Request Forgery to Settings Update
Published
2024-03-13
Title
WooCommerce Cart Abandonment Recovery < 1.2.27 - Templates/Abandoned Orders Deletion via CSRF