WordPress Plugin Vulnerabilities

Auto Excerpt everywhere <= 1.5 - Cross-Site Request Forgery

Description

The Auto Excerpt everywhere plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the auto_excerpt_everywhere_options() function and included options.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
auto-excerpt-everywhere
No known fix

References

CVE
CVE-2023-46776
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/32647c44-389a-4a6d-a32b-e19a35bc2aeb

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Nguyen Xuan Chien
Verified
No
WPVDB ID
fdf15a00-5b0b-4aed-8ced-9c873d5c62e8

Timeline

Publicly Published
2023-10-27 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2026-02-18
Title
Whatsiplus Scheduled Notification for Woocommerce <= 1.0.1 - Cross-Site Request Forgery to 'wsnfw_save_users_settings' AJAX Action
Published
2023-07-20
Title
WP-FlyBox <= 6.46 - CSRF
Published
2025-08-25
Title
Post Type Converter <= 0.6 - Cross-Site Request Forgery
Published
2021-06-30
Title
Fontsampler < 0.14.3 - CSRF to Authenticated Reflected Cross-Site Scripting (XSS)
Published
2025-03-24
Title
Translator <= 0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting