WordPress Plugin Vulnerabilities

Title Field Validation <= 1.1 - Unauthorised AJAX Calls

Description

The plugin does not properly check for CSRF in its find_post_type, save_validation, edit_validation, update_validation and delete_validation AJAX actions. Additionally, the actions were also missing any capability checks. As a result, any authenticated user (such as subscriber) could call them to create, edit delete validations

Proof of Concept

Affects Plugins

Plugin icon
title-field-validation
No known fix

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
7.3 (high)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
cc5938a3-a7d8-4dfa-8256-9ace889ab4b4

Timeline

Publicly Published
2021-06-30 (about 4 years ago)
Added
2021-06-30 (about 4 years ago)
Last Updated
2021-06-30 (about 4 years ago)

Other

Published
Title
Published
2024-02-27
Title
WordPress Access Control <= 4.0.13 - Improper Access Control to Sensitive Information Exposure via REST API
Published
2021-02-10
Title
Map Block for Google Maps < 1.32 - Unauthorised Google API Key change
Published
2024-06-05
Title
The Moneytizer < 10.0.1 - Missing Authorization via multiple AJAX actions
Published
2021-10-20
Title
Responsive Image Slider, Photo Gallery And Carousel < 1.3.6 - Subscriber+ Arbitrary Post Access
Published
2025-09-29
Title
SmartCrawl SEO checker, analyzer & optimizer < 3.14.4 - Missing Authorization to Plugin Settings Update