WordPress Plugin Vulnerabilities

WP Lead Plus X <= 0.99 - Multiple Cross-Site Request Forgery (CSRF)

Description

None of the functions in this plugin use nonce checks, so it is possible for an attacker to perform any action that the plugin is capable of by tricking an administrator into clicking a specially crafted link designed to perform that action. This includes capabilities such as adding new pages, replacing existing pages, and inserting malicious JavaScript.

Affects Plugins

Plugin icon
free-sales-funnel-squeeze-pages-landing-page-builder-templates-make
No known fix

References

URL
https://www.wordfence.com/blog/2020/04/critical-vulnerabilities-in-the-wp-lead-plus-x-wordpress-plugin/

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher
Ramuel Gall (Wordfence)
Submitter
Ramuel Gall
Verified
No
WPVDB ID
f40bd1b0-3640-4c4e-afb3-d433b48b2393

Timeline

Publicly Published
2020-04-07 (about 6 years ago)
Added
2020-04-07 (about 6 years ago)
Last Updated
2020-04-08 (about 6 years ago)

Other

Published
Title
Published
2025-01-16
Title
root Cookie <= 1.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2022-07-08
Title
Counter Box < 1.2.1 - Arbitrary Counter Activation/Deactivation via CSRF
Published
2025-06-05
Title
HR Management Lite <= 3.5 - Cross-Site Request Forgery
Published
2023-11-24
Title
Availability Calendar <= 1.2.6 - Cross-Site Request Forgery via add_availability_calendar_create_admin_page()
Published
2025-04-17
Title
Verge3D < 4.9.3 - Cross-Site Request Forgery