WordPress Plugin Vulnerabilities

Multiple Plugins from Inisev - Plugin Installation via CSRF

Description

Multiple plugins from the Inisev vendor are lacking CSRF check in the handle_installation function hooked to the inisev_installation AJAX action, allowing unauthenticated attackers to make logged in admins install plugins from Inisev on the blog via a CSRF attack

Affects Plugins

Plugin icon
feedburner-alternative-and-rss-redirect
Fixed in 3.8
Plugin icon
ultimate-social-media-icons
Fixed in 2.8.2
Plugin icon
copy-delete-posts
Fixed in 1.4.0
Plugin icon
wp-clone-by-wp-academy
Fixed in 2.3.8
Plugin icon
enhanced-text-widget
Fixed in 1.5.8
Plugin icon
backup-backup
Fixed in 1.2.8
Plugin icon
redirect-redirection
Fixed in 1.1.4
Plugin icon
ultimate-posts-widget
Fixed in 2.2.5
Plugin icon
http-https-remover
Fixed in 3.2.4
Plugin icon
pop-up-pop-up
Fixed in 1.2.0
Plugin icon
ultimate-social-media-plus
Fixed in 3.5.8

References

CVE
CVE-2023-3977

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Chloe Chamberland
Verified
No
WPVDB ID
f2b8dd08-6661-41da-b1c4-fe001ee268d3

Timeline

Publicly Published
2023-07-27 (about 2 years ago)
Added
2023-07-28 (about 2 years ago)
Last Updated
2023-07-28 (about 2 years ago)

Other

Published
Title
Published
2023-10-03
Title
Publish Confirm Message < 2.0 - Settings Update via CSRF
Published
2025-03-24
Title
jQuery Dropdown Menu <= 3.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-09-03
Title
Tickera < 3.5.5.8 - Cross-Site Request Forgery
Published
2025-02-18
Title
Apptivo Business Site CRM <= 5.3 - Cross-Site Request Forgery to IP Address Block
Published
2025-04-09
Title
Customize Login Page <= 1.1 - Cross-Site Request Forgery