WordPress Plugin Vulnerabilities

WPCS < 1.1.7 - Arbitrary Plugin's Settings Change via CSRF

Description

The plugin did not have any CSRF in place when saving its options, which could allow attacker to make a logged in administrator change them.

Affects Plugins

Plugin icon
currency-switcher
Fixed in 1.1.7

References

CVE
CVE-2021-20780
URL
https://jvn.jp/en/jp/JVN91372527/

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Mizuki Takagi
Verified
Yes
WPVDB ID
e185c112-cd4b-4290-b1ff-1dffffe8e4f1

Timeline

Publicly Published
2021-07-06 (about 4 years ago)
Added
2021-07-06 (about 4 years ago)
Last Updated
2022-04-03 (about 4 years ago)

Other

Published
Title
Published
2026-01-06
Title
Sticky Action Buttons <= 1.1 - Cross-Site Request Forgery to Plugin Settings Update
Published
2022-11-09
Title
WPML < 4.5.14 - CSRF
Published
2022-10-20
Title
Simple SEO < 1.8.13 - Sitemap Creation/Deletion via CSRF
Published
2025-02-03
Title
Print PDF Generator and Publisher < 1.2.1 - Cross-Site Request Forgery
Published
2011-03-17
Title
WP Recaptcha < 3.0 - Multiple CSRF