WordPress Plugin Vulnerabilities

EasyRecipe <= 3.5.3251 - Cross-Site Request Forgery

Description

The EasyRecipe plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.3251. This is due to missing nonce validation on several functions such as the saveStyle() and updateCustomCSS() functions. This makes it possible for unauthenticated attackers to modify several of the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
easyrecipe
No known fix

References

CVE
CVE-2023-46779
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/35906df7-5eaf-494a-8184-48e2ca22301e

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Skalucy
Verified
No
WPVDB ID
05d5799d-4d63-41d4-a6bb-b23ecefac7f0

Timeline

Publicly Published
2023-10-26 (about 6 months ago)
Added
2023-11-23 (about 5 months ago)
Last Updated
2024-01-22 (about 3 months ago)

Other

Published
Title
Published
2022-10-10
Title
SeoSamba for WordPress Webmasters < 1.0.6 - Access Key Update via CSRF
Published
2014-08-01
Title
Xhanch my Twitter - CSRF in admin/setting.php
Published
2024-03-12
Title
Team Circle Image Slider With Lightbox < 1.0.1 - Image Data Update via CSRF
Published
2024-04-05
Title
Sign-up Sheets < 2.2.12 - Cross-Site Request Forgery
Published
2018-06-07
Title
Add Social Share Buttons for Whatsapp and Viber < 1.1 - CSRF to Settings Change