Security
Headlines
HeadlinesLatestCVEs

Tag

#csrf

CVE-2022-47143: WordPress Multiple Pages Generator by Themeisle plugin <= 3.3.9 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Themeisle Multiple Page Generator Plugin – MPG plugin <= 3.3.9 versions.

CVE
Open in Source
#csrf#vulnerability#wordpress#auth
CVE-2022-47147: WordPress ipblocklist plugin <= 1.0 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Kesz1 Technologies ipBlockList plugin <= 1.0 versions.

CVE-2022-47422: WordPress WordPress Stripe Donation plugin <= 3.1.5 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in HM Plugin Accept Stripe Donation – AidWP plugin <= 3.1.5 versions.

CVE-2022-47443: WordPress Multi Rating plugin <= 5.0.5 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Daniel Powney Multi Rating plugin <= 5.0.5 versions.

CVE-2022-47141: WordPress WP Dynamic Keywords Injector plugin <= 2.3.15 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Seerox WP Dynamic Keywords Injector plugin <= 2.3.15 versions.

CVE-2022-47154: WordPress CSS JS Manager, Async JavaScript, Defer Render Blocking CSS supports WooCommerce plugin <= 2.4.49 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Pi Websolution CSS JS Manager, Async JavaScript, Defer Render Blocking CSS supports WooCommerce plugin <= 2.4.49 versions.

CVE-2022-47163: WordPress WP CSV to Database plugin <= 2.6 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Tips and Tricks HQ, josh401 WP CSV to Database – Insert CSV file content into WordPress plugin <= 2.6 versions.

CVE-2022-47162: WordPress DH – Anti AdBlocker plugin <= 36 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Dannie Herdyawan DH – Anti AdBlocker plugin <= 36 versions.

CVE-2022-47155: WordPress Slider by Supsystic plugin <= 1.8.5 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Slider by Supsystic plugin <= 1.8.5 versions.

GHSA-7r7x-4c4q-c4qf: Missing proper state, nonce and PKCE checks for OAuth authentication

### Impact `next-auth` applications using OAuth provider versions before `v4.20.1` are affected. A bad actor who can spy on the victim's network or able to social engineer the victim to click a manipulated login link could intercept and tamper with the authorization URL to **log in as the victim**, bypassing the CSRF protection. As an example, an attack can happen in the following scenario. > TL;DR: The attacker steals the victim's authenticated callback by intercepting and tampering with the authorization URL created by `next-auth`. 1. The victim attempts to log in to the `next-auth` site. For example https://next-auth-example.vercel.app/ 2. `next-auth` sets the `checks` cookies according to how the OAuth provider is configured. In this case, `state` and `pkce` are set by default for the Google Provider. <img width="1971" alt="Screen Shot 2023-03-03 at 09 54 26" src="https://user-images.githubusercontent.com/31528554/222619750-a2062bb8-99eb-4985-a75c-d75acd3da67e.png"> 3. The at...