WordPress Plugin Vulnerabilities

Widget Logic <= 5.10.2 - CSRF and Lack of Authorisation

Description

Lack of CSRF and Authorisation checks in widget_logic_expand_control() method registered as an sidebar_admin_setup action could allow unauthorised settings change

Affects Plugins

Plugin icon
widget-logic
Fixed in 5.10.3

References

CVE
CVE-2019-12826
URL
https://plugins.trac.wordpress.org/changeset?reponame=&new=2115506%40widget-logic&old=2112753%40widget-logic

Miscellaneous

Verified
No
WPVDB ID
f5b3206b-ced6-4c3e-974c-e404f887b564

Timeline

Publicly Published
2019-07-01 (about 6 years ago)
Added
2019-07-01 (about 6 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2020-01-09
Title
TownHub < 1.0.6 - Multiple Vulnerabilities
Published
2019-06-27
Title
Block WP Login < 1.3.2 - CSRF and Unauthorised Settings Update
Published
2015-04-02
Title
Simple Ads Manager < 2.7.102 - Arbitrary File Upload & SQL Injection
Published
2015-08-20
Title
Tribulant Slideshow Gallery < 1.5.3.4 - Arbitrary file upload & Cross-Site Scripting (XSS)
Published
2019-09-08
Title
Photo Gallery by 10Web < 1.5.35 - SQL Injection & XSS