WordPress Plugin Vulnerabilities

Wicked Folders < 2.18.17 - Folder Structure Update via CSRF

Description

The plugin does not have CSRF checks when managing its folder structure (such as moving, deleting, creating etc folders), which could allow attackers to make logged admins perform such actions via CSRF attacks

Affects Plugins

Plugin icon
wicked-folders
Fixed in 2.18.17

References

CVE
CVE-2023-0728
CVE
CVE-2023-0727
CVE
CVE-2023-0730
CVE
CVE-2023-0723
CVE
CVE-2023-0685
CVE
CVE-2023-0722
CVE
CVE-2023-0724
CVE
CVE-2023-0725
CVE
CVE-2023-0726
CVE
CVE-2023-0729

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
a2e9b803-832e-4768-8056-059ea29f90d1

Timeline

Publicly Published
2023-02-07 (about 1 years ago)
Added
2023-02-07 (about 1 years ago)
Last Updated
2023-06-09 (about 11 months ago)

Other

Published
Title
Published
2023-09-12
Title
Login with phone number < 1.5.7 - User Password Change via CSRF
Published
2024-04-10
Title
EWWW Image Optimizer < 7.3.0 - Cross-Site Request Forgery
Published
2023-07-17
Title
WP Reroute Email < 1.4.8 - Cross-Site Request Forgery
Published
2023-05-23
Title
LWS Hide Login < 2.1.7 - Plugin Settings Page Creation via CSRF
Published
2024-04-15
Title
BMI Adult & Kid Calculator < 1.2.2 - Cross-Site Request Forgery to Cross-Site Scripting