WordPress Plugin Vulnerabilities

WP Travel < 4.4.7 - Cross-Site Request Forgery

Description

The plugin does not protect some of its actions against CSRF attacks, allowing an unauthenticated attacker to perform actions on their behalf by tricking a logged in user to submit a crafted request.

Affects Plugins

Plugin icon
wp-travel
Fixed in 4.4.7

References

CVE
CVE-2021-4389
URL
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Jerome Bruandet
Verified
No
WPVDB ID
ef2d7c1b-4518-4803-a526-542811c4e7d8

Timeline

Publicly Published
2021-03-01 (about 5 years ago)
Added
2023-07-04 (about 2 years ago)
Last Updated
2023-07-04 (about 2 years ago)

Other

Published
Title
Published
2024-07-08
Title
Advanced AJAX Page Loader <= 2.7.7 - Cross-Site Request Forgery to Arbitrary File Upload
Published
2024-12-12
Title
LeaderBoard Plugin <= 1.2.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-12-12
Title
ECT Product Carousel <= 1.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-06-05
Title
Muslim Prayer Time BD < 2.5 - Settings Reset via CSRF
Published
2025-04-09
Title
Buddypress Humanity <= 1.2 - Cross-Site Request Forgery to Privilege Escalation