WordPress Plugin Vulnerabilities

Inactive Logout < 3.2.3 - Cross-Site Request Forgery

Description

The Inactive Logout plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the ina_reset_adv_settings() function in versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
inactive-logout
Fixed in 3.2.3

References

URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d9189eb3-be7f-42e1-92cc-b48af5615eb9

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Verified
No
WPVDB ID
fa8ef00f-9e2a-4fa3-9b84-5df02c12120f

Timeline

Publicly Published
2023-09-20 (about 2 years ago)
Added
2023-11-24 (about 2 years ago)
Last Updated
2023-12-19 (about 2 years ago)

Other

Published
Title
Published
2025-04-01
Title
CLP – Custom Login Page by NiteoThemes <= 1.5.5 - Cross-Site Request Forgery
Published
2025-01-24
Title
Linet ERP-Woocommerce Integration < 3.5.8 - Cross-Site Request Forgery
Published
2025-04-16
Title
Basic Interactive World Map <= 2.7 - Cross-Site Request Forgery to Settings Update
Published
2023-07-26
Title
Saphali Woocommerce Lite < 1.9.0 - Settings Update/Reset via CSRF
Published
2025-07-16
Title
AntiSpam for Contact Form 7 < 0.6.4 - Cross-Site Request Forgery