3D Tag Cloud <= 3.8 – Cross-Site Request Forgery to Stored Cross-Site Scripting | CVE 2022-41990 | Plugin Vulnerabilities

Description

The 3D Tag Cloud plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

cardoza-3d-tag-cloud

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/4dfa825c-b0f7-4588-9bf8-cd186a5fc0ff

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

István Márton

Verified

No

WPVDB ID

d6add4b3-3e5c-46a4-9313-74c7e5100c61

Timeline

Publicly Published

2024-02-06 (about 2 years ago)

Added

2024-02-06 (about 2 years ago)

Last Updated

2024-02-06 (about 2 years ago)

Other

Published

Title

Published

2013-07-04

Title

Sharebar < 1.4.1 - Button Manipulation CSRF

Published

2021-04-23

Title

Software License Manager < 4.4.6 - CSRF to Stored XSS

Published

2022-09-23

Title

Backup Scheduler <= 1.5.13 - Cross-Site Request Forgery

Published

2023-10-16

Title

SendPulse Free Web Push < 1.3.2 - CSRF

Published

2025-03-28

Title

Usermaven < 1.2.2 - Cross-Site Request Forgery