WordPress Plugin Vulnerabilities

Pagebar < 2.70 - Arbitrary Settings Update via CSRF to Stored XSS

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of sanitisation in some of them, it could also lead to Stored XSS issues

Proof of Concept

Affects Plugins

Plugin icon
pagebar
Fixed in 2.70

References

CVE
CVE-2022-1757

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
e648633e-868b-45b2-870a-308a2f9cb7f5

Timeline

Publicly Published
2022-06-15 (about 3 years ago)
Added
2022-06-15 (about 3 years ago)
Last Updated
2023-03-15 (about 2 years ago)

Other

Published
Title
Published
2025-05-19
Title
Dynamic Pricing & Discounts Lite for WooCommerce <= 2.0.3 - Cross-Site Request Forgery
Published
2018-01-09
Title
Download Manager <= 2.9.60 - Cross-Site Request Forgery (CSRF)
Published
2022-09-19
Title
Simple File List < 4.4.13 - Page Creation via CSRF
Published
2023-07-20
Title
WP-FlyBox <= 6.46 - CSRF
Published
2023-12-27
Title
EnvíaloSimple < 2.3 - API Key Update via CSRF