WordPress Plugin Vulnerabilities

Shortcodes Ultimate < 5.12.1 - Settings Preset Update via CSRF

Description

The plugin does not have CSRF check in place when updating its preset settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Affects Plugins

Plugin icon
shortcodes-ultimate
Fixed in 5.12.1

References

CVE
CVE-2022-38086

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Dave Jong
Verified
No
WPVDB ID
dbe98db1-fb95-49f9-a276-acec5dce086b

Timeline

Publicly Published
2022-10-02 (about 3 years ago)
Added
2022-10-11 (about 3 years ago)
Last Updated
2022-10-11 (about 3 years ago)

Other

Published
Title
Published
2023-04-06
Title
PHP Compatibility Checker < 1.6.0 - Cross-Site Request Forgery
Published
2024-06-28
Title
Perfect Portfolio < 1.2.1 - Cross-Site Request Forgery to Notice Dismissal
Published
2025-03-11
Title
Hashtags <= 0.3.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-04-09
Title
Multiple Location Google Map <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2023-02-28
Title
HT Portfolio < 1.1.6 - Arbitrary Plugin Activation via CSRF