WordPress Plugin Vulnerabilities

Contact Form < 2.0.12 - Form Styling Update via CSRF

Description

The plugin does not have CSRF check when updating the contact form styling, which could allow attackers to make logged in admins perform such action via a CSRF attack

Affects Plugins

Plugin icon
contact-form-ready
Fixed in 2.0.12

References

CVE
CVE-2023-44231
URL
https://patchstack.com/database/vulnerability/contact-form-ready/wordpress-contact-form-plugin-2-0-10-cross-site-request-forgery-csrf-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Nguyen Xuan Chien
Verified
No
WPVDB ID
d9ccce08-fbc1-4be0-8815-d43ef992a5ba

Timeline

Publicly Published
2023-09-29 (about 7 months ago)
Added
2023-10-12 (about 7 months ago)
Last Updated
2024-03-18 (about 2 months ago)

Other

Published
Title
Published
2022-08-01
Title
WP Edit Menu <= 1.5.0 - Arbitrary Post Deletion via CSRF
Published
2023-06-13
Title
Securimage-WP <= 3.6.16 - Cross-Site Request Forgery
Published
2015-07-14
Title
BuddyPress Activity Plus < 1.6.2 - Cross-Site Request Forgery (CSRF)
Published
2023-02-06
Title
0mk Shortener <= 0.2 - Stored XSS via CSRF
Published
2021-06-30
Title
WP Prayer < 1.5.5 - Unauthorised AJAX call via CSRF