WordPress Plugin Vulnerabilities

WordPress Real Cookie Banner < 2.14.2 - Settings Reset via CSRF

Description

The plugin does not have CSRF checks in place when resetting its settings, allowing attackers to make a logged in admin reset them via a CSRF attack

Proof of Concept

https://example.com/wp-admin/admin.php?page=real-cookie-banner-component&rcb-reset-all=1

Affects Plugins

Plugin icon
real-cookie-banner
Fixed in 2.14.2

References

CVE
CVE-2022-0445

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
d9f28255-0026-4c42-9e67-d17b618c2285

Timeline

Publicly Published
2022-02-07 (about 2 years ago)
Added
2022-02-07 (about 2 years ago)
Last Updated
2022-04-13 (about 2 years ago)

Other

Published
Title
Published
2024-04-25
Title
Smart Maintenance Mode <= 1.4.4 - Cross-Site Request Forgery
Published
2023-09-12
Title
Login with phone number < 1.5.7 - User Password Change via CSRF
Published
2020-04-29
Title
Ninja Forms < 3.4.24.2 - CSRF to Stored XSS
Published
2023-11-07
Title
Donations Made Easy – Smart Donations <= 4.0.12 - Cross-Site Request Forgery
Published
2024-04-10
Title
WordPress Hosting Benchmark tool < 1.3.7 - Cross-Site Request Forgery via execute_plugin()