WordPress Plugin Vulnerabilities

WPMK Ajax Finder <= 1.0.1 - Stored Cross-Site Scripting via CSRF

Description

The plugin is missing CSRF check when updating its settings, which could allow attacker to make a logged in admin change them, as well as put XSS payloads in them due to the lack of sanitisation and escaping

Affects Plugins

Plugin icon
find-any-think
No known fix

References

CVE
CVE-2022-1749

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Tsubasa Imaizumi, Cryptography Laboratory in Tokyo Denki University
Verified
Yes
WPVDB ID
db5c5bfb-6577-43c8-939e-18f568dcea7f

Timeline

Publicly Published
2022-05-31 (about 3 years ago)
Added
2022-05-31 (about 3 years ago)
Last Updated
2023-02-28 (about 3 years ago)

Other

Published
Title
Published
2024-04-26
Title
WP GDPR Compliance <= 2.0.23 - Cross-Site Request Forgery
Published
2023-01-20
Title
Quick Event Manager < 9.7.5 - Registration Deletion/Update via CSRF
Published
2024-07-12
Title
i-transform <= 3.0.9 - Cross-Site Request Forgery
Published
2025-03-11
Title
Comment Date and Gravatar remover <= 1.0 - Cross-Site Request Forgery
Published
2024-11-28
Title
Load More Posts <= 1.4.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting