WordPress Plugin Vulnerabilities

PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) < 2.7.14 - Settings Reset/Update via CSRF

Description

The plugin does not have CSRF checks when resetting and updating its settings, which could allow attackers to make logged in admins perform such actions via CSRF attacks

Affects Plugins

Plugin icon
powerpack-lite-for-elementor
Fixed in 2.7.14

References

CVE
CVE-2023-6984
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/fe2cfc96-63f4-4e4b-bf49-6031594a4805

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
Yes
WPVDB ID
fd4620bb-8a3b-400c-8f63-1c2fc8abc93e

Timeline

Publicly Published
2024-01-02 (about 2 years ago)
Added
2024-01-03 (about 2 years ago)
Last Updated
2024-01-03 (about 2 years ago)

Other

Published
Title
Published
2023-02-28
Title
HT Portfolio < 1.1.6 - Arbitrary Plugin Activation via CSRF
Published
2023-10-25
Title
Remove Add to Cart WooCommerce < 1.4.5 - Settings Update via CSRF
Published
2023-06-15
Title
WooCommerce Stock Manager < 2.11.0 - Cross-Site Request Forgery
Published
2014-09-19
Title
Improved User Search in Backend < 1.2.6 - CSRF & XSS
Published
2024-04-29
Title
5280 Bootstrap Modal Contact Form <= 1.0 - Cross-Site Request Forgery to Bulk Delete Messages