WordPress Plugin Vulnerabilities

WP Forms Puzzle Captcha <= 4.1 - Cross-Site Request Forgery to Cross-Site Scripting

Description

The WP Forms Puzzle Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.1. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to invoke this function via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Furthermore, user input is sanitized insufficiently leading to stored Cross-Site Scripting.

Affects Plugins

Plugin icon
wp-forms-puzzle-captcha
No known fix

References

CVE
CVE-2023-48278
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2f34854a-5ca1-48a3-81d5-80f80f3a85fc

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
qilin_99
Verified
No
WPVDB ID
f30139eb-8b93-44fb-bcd7-0528ed16b5b3

Timeline

Publicly Published
2023-11-28 (about 2 years ago)
Added
2023-11-29 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2025-06-05
Title
Bitly URL Shortener < 1.5.0 - Cross-Site Request Forgery
Published
2019-07-27
Title
Custom Simple RSS <= 2.0.6 - CSRF
Published
2025-10-13
Title
wpNamedUsers <= 0.5 - Cross-Site Request Forgery
Published
2022-05-30
Title
Multi-page Toolkit <= 2.6 - Arbitrary Settings Update to Stored XSS via CSRF
Published
2014-08-01
Title
Cool Video Gallery 1.8 - admin/gallery-settings.php Gallery Settings Manipulation CSRF