WordPress Plugin Vulnerabilities

WIP Custom Login < 1.3.0 - Cross-Site Request Forgery (CSRF)

Description

The plugin does not protect some of its actions against CSRF attacks, allowing an unauthenticated attacker to perform actions on their behalf by tricking a logged in user to submit a crafted request.

Affects Plugins

Plugin icon
wip-custom-login
Fixed in 1.3.0

References

CVE
CVE-2023-33313
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wip-custom-login/wip-custom-login-129-cross-site-request-forgery-via-save-option
URL
https://patchstack.com/database/vulnerability/wip-custom-login/wordpress-wip-custom-login-plugin-1-2-9-cross-site-request-forgery-csrf-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Verified
No
WPVDB ID
db240bcd-362e-4d8c-b778-2fa00ed0b180

Timeline

Publicly Published
2023-05-22 (about 2 years ago)
Added
2023-05-29 (about 2 years ago)
Last Updated
2023-05-29 (about 2 years ago)

Other

Published
Title
Published
2023-02-28
Title
Real Estate 7 < 3.3.5 - Reflected XSS
Published
2024-06-28
Title
Preschool and Kindergarten < 1.2.2 - Cross-Site Request Forgery to Notice Dismissal
Published
2022-09-19
Title
Simple File List < 4.4.13 - Page Creation via CSRF
Published
2025-09-09
Title
Advanced Settings < 3.2.0 - Cross-Site Request Forgery
Published
2024-08-26
Title
Email Address Encoder < 1.0.24 - Cross-Site Request Forgery via eae_clear_caches()