WordPress Plugin Vulnerabilities
Post Carousel < 2.3.5 - CSRF Bypass / Unauthorised AJAX Calls
Description
The plugin did not properly check for CSRF in two of its AJAX actions, allowing them to be bypassed. Furthermore, other actions which should only be accessible to admins were missing capability check (but had CSRF checks), and the spf-reset action did not validate that the actions to be delete belong to the plugin. Various versions were released, attempted to fix the issues, v2.3.5 fixing everything
Affects Plugins
References
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-08-16 (about 2 years ago)
Added
2021-08-16 (about 2 years ago)
Last Updated
2021-08-16 (about 2 years ago)