WordPress Plugin Vulnerabilities

Comment Blacklist Updater < 1.2.0 - Cross-Site Request Forgery via update_blacklist_manual

Description

The Comment Blacklist Updater plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.0. This is due to missing or incorrect nonce validation on the 'update_blacklist_manual' function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
comment-blacklist-updater
Fixed in 1.2.0

References

CVE
CVE-2023-44147
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/fc7bab78-4ebb-4be9-8891-1ac0e3ed0af3

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Nguyen Xuan Chien
Verified
No
WPVDB ID
d3840bb1-658e-460f-aaf5-e16c95703bfd

Timeline

Publicly Published
2023-09-23 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2023-12-22 (about 2 years ago)

Other

Published
Title
Published
2024-12-05
Title
eewee admin custom <= 1.8.2.4 - Cross-Site Request Forgery to Privilege Escalation
Published
2023-08-11
Title
WP Like Button <= 1.7.0 - Button Settings Update via CSRF
Published
2023-12-27
Title
Product Table by WBW < 1.8.7 - Cross-Site Request Forgery via saveGroup
Published
2024-05-24
Title
WP Prayer II < 2.4.8 - Email Settings Update via CSRF
Published
2023-11-16
Title
WP EXtra < 6.5 - Cross-Site Request Forgery ToolImport