WordPress Plugin Vulnerabilities

Laposta Signup Basic < 1.4.2 - Missing Authorization

Description

The Laposta Signup Basic plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxResetCache function in versions up to, and including, 1.4.1. This makes it possible for subscriber-level attackers or higher to delete the plugin's cache.

Affects Plugins

Plugin icon
laposta-signup-basic
Fixed in 1.4.2

References

URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b7e417c2-bf9c-4c88-be2b-9c2324897b07

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (Medium)

Miscellaneous

Verified
No
WPVDB ID
ce9a7ccd-0bc0-4a10-8233-5ce87b64a5a4

Timeline

Publicly Published
2023-09-05 (about 2 years ago)
Added
2023-11-29 (about 2 years ago)
Last Updated
2023-12-04 (about 2 years ago)

Other

Published
Title
Published
2025-09-05
Title
Custom WooCommerce Checkout Fields Editor <= 1.3.4 - Cross-Site Request Forgery
Published
2023-12-28
Title
Affiliates Manager < 2.9.32 - Cross-Site Request Forgery via multiple AJAX actions
Published
2025-01-16
Title
add custom google tag manager <= 1.0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-02-03
Title
BookPress – For Book Authors <= 1.2.7 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2022-04-25
Title
Tracked Tweets <= 0.2.9 - Stored Cross-Site Scripting via CSRF