WordPress Plugin Vulnerabilities

UpdraftPlus < 1.23.4 - CSRF

Description

The plugin does not have CSRF check in the action_authenticate_storage, which could allow attackers to make logged in admins inject JavaScript into a parameter in the authentication process via a CSRF attack when they can trick an admin to perform multiple actions including re-authenticating a connection to a storage.

Affects Plugins

Plugin icon
updraftplus
Fixed in 1.23.4

References

CVE
CVE-2023-32960

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.8 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
eb9f67b9-1956-4485-a007-1eb932288200

Timeline

Publicly Published
2023-05-18 (about 1 years ago)
Added
2023-06-22 (about 1 years ago)
Last Updated
2023-06-22 (about 1 years ago)

Other

Published
Title
Published
2024-01-08
Title
MailerLite – WooCommerce integration < 2.0.9 - Cross-Site Request Forgery via Multiple AJAX Functions
Published
2023-12-28
Title
Simple Job Board < 2.10.7 - Cross-Site Request Forgery
Published
2024-04-24
Title
WP Prayer <= 2.0.9 - Email Settings Update via CSRF
Published
2022-09-21
Title
FavIcon Switcher <= 1.2.11 - Arbitrary Settings Change via CSRF
Published
2023-11-21
Title
UserPro < 5.1.1 - Cross-Site Request Forgery to PHP Object Injection