WordPress Plugin Vulnerabilities

Coru LFMember <= 1.0.2 - Stored Cross-Site Scripting via CSRF

Description

The plugin does not have CSRF check in place when adding a new game, and is lacking sanitisation as well as escaping in their settings, allowing attacker to make a logged in admin add an arbitrary game with XSS payloads

Proof of Concept

Affects Plugins

Plugin icon
coru-lfmember
No known fix

References

CVE
CVE-2022-1618
URL
https://packetstormsecurity.com/files/#166831/

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Mariam Tariq
Verified
Yes
WPVDB ID
ddafcab2-b5db-4839-8ae1-188383f4250d

Timeline

Publicly Published
2022-04-26 (about 3 years ago)
Added
2022-04-27 (about 3 years ago)
Last Updated
2022-05-08 (about 3 years ago)

Other

Published
Title
Published
2025-02-03
Title
BookPress – For Book Authors <= 1.2.7 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-12-12
Title
Bet sport Free <= 1.0.0 - Cross-Site Request Forgery
Published
2025-11-08
Title
Auto Prune Posts < 3.1.0 - Cross-Site Request Forgery
Published
2024-11-18
Title
Buying Buddy IDX CRM < 2.0.0 - PHP Object Injection via CSRF
Published
2023-11-07
Title
Add Local Avatar <= 12.1 - Cross-Site Request Forgery via manage_avatar_cache