LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing… <= 4.4 – Cross-Site Request Forgery via init_endpoint | CVE 2023-4731 | Plugin Vulnerabilities

Description

The LadiApp plugn for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the init_endpoint() function hooked via 'init' in versions up to, and including, 4.4. This makes it possible for unauthenticated attackers to modify a variety of settings, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. An attacker can directly modify the 'ladipage_key' which enables them to create new posts on the website and inject malicious web scripts,

Affects Plugins

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/1a46fd57-4cb9-4d98-89b6-926d74b2ab33

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

GiongfNef

Verified

No

WPVDB ID

da9d0aac-335b-4c8c-b920-3093410f3aa3

Timeline

Publicly Published

2024-03-11 (about 2 years ago)

Added

2024-03-11 (about 2 years ago)

Last Updated

2024-03-11 (about 2 years ago)

Other

Published

Title

Published

2025-08-15

Title

Last.fm Recent Album Artwork <= 1.0.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-04-17

Title

WP Sticky Side Buttons <= 2.1 - Cross-Site Request Forgery

Published

2025-01-03

Title

Scratch & Win – Giveaways and Contests < 2.8.0 - Cross-Site Request Forgery via reset_installation Function

Published

2014-08-01

Title

Wordpress 3.3.1 - Multiple CSRF Vulnerabilities

Published

2025-07-03

Title

yContributors <= 0.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting