WordPress Plugin Vulnerabilities

Waiting: One-click countdowns <= 0.6.2 - Cross-Site Request Forgery

Description

The plugin is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.6.2. This is due to missing or incorrect nonce validation on its AJAX actions. This makes it possible for unauthenticated attackers to create and delete countdowns, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
waiting
No known fix

References

CVE
CVE-2023-4000

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.3 (medium)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
f6e11f8b-0861-4036-9ad9-095453405141

Timeline

Publicly Published
2022-12-23 (about 3 years ago)
Added
2023-08-31 (about 2 years ago)
Last Updated
2023-08-31 (about 2 years ago)

Other

Published
Title
Published
2023-05-24
Title
Easy Google Maps < 1.11.8 - Cross-Site Request Forgery (CSRF)
Published
2025-09-26
Title
Groovy Menu <= 1.4.3 - Cross-Site Request Forgery
Published
2014-12-12
Title
Simple Ip Ban <= 1.2.3 - Multiple CSRF
Published
2025-06-27
Title
Slickstream < 3.0.0 - Cross-Site Request Forgery
Published
2022-04-26
Title
Coru LFMember <= 1.0.2 - Stored Cross-Site Scripting via CSRF