WordPress Plugin Vulnerabilities

BuddyPress Customer.io Analytics Integration <= 1.1.6 - Arbitrary Plugin Settings Update via CSRF

Description

The plugin does not properly perform the CSRF check when saving its settings, allowing attackers to make logged in admin change them to arbitrary values

Proof of Concept

Affects Plugins

Plugin icon
bpcustomerio
No known fix

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
df1fdca8-d08f-4577-8cdf-67ca1ac741ba

Timeline

Publicly Published
2021-06-30 (about 4 years ago)
Added
2021-06-30 (about 4 years ago)
Last Updated
2021-06-30 (about 4 years ago)

Other

Published
Title
Published
2023-02-12
Title
Quiz And Survey Master < 8.0.8 - Text Message Setting Update via CSRF
Published
2023-11-07
Title
Plugin Name: Device Theme Switcher <= 3.0.2 - Cross-Site Request Forgery
Published
2025-04-11
Title
Arkhe <= 3.12.0 - Local File Inclusion via CSRF
Published
2025-05-19
Title
Affiliates Manager Google reCAPTCHA Integration < 1.0.7 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-04-05
Title
Salon booking system < 9.6.6 - Settings Update via CSRF