Animated Rotating Words < 5.5 – Cross-Site Request Forgery via save_admin_options | CVE 2023-47187 | Plugin Vulnerabilities

Description

The Animated Rotating Words (Interchanging Random Words in a Sentence) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.4. This is due to missing or incorrect nonce validation on the save_admin_options function. This makes it possible for unauthenticated attackers to modify the plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

css3-rotating-words

Fixed in 5.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/15b7008f-07fc-4f8a-b214-8ac0c4cf6d99

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Abdi Pranata

Verified

No

WPVDB ID

e277e37a-0bf4-4cbc-b38f-a64cb42a88c8

Timeline

Publicly Published

2023-11-03 (about 2 years ago)

Added

2023-11-23 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2025-12-04

Title

WpEvently < 5.0.5 - Missing Authorization

Published

2026-02-25

Title

Responsive Posts Carousel WordPress Plugin <= 15.1 - Missing Authorization

Published

2024-02-28

Title

WPvivid Backup and Migration < 0.9.69 - Unauthenticated SQLi & DoS

Published

2024-03-04

Title

Page Builder Sandwich <= 5.1.0 - Missing Authorization to Authenticated(Subscriber+) Arbitrary Post Editing

Published

2025-12-23

Title

Product Loops for WooCommerce <= 2.1.2 - Missing Authorization