Cross-Site Request Forgery (CSRF) vulnerability in REST API Authentication plugin <= 2.4.0 on WordPress.

 Verified

 Fixed

**5.4**

CVSS 3.1 score Medium severity

Report  

Monitoring Not reported to be exploited

Vulnerable versions

<= 2.4.0

PSID 

9a7eb49bf153

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-11-09

**Details**

Cross-Site Request Forgery (CSRF) vulnerability leading to plugin settings change discovered by Lana Codes (Patchstack Alliance) in WordPress REST API Authentication plugin (versions <= 2.4.0).

**Solution**

Update the WordPress WordPress REST API Authentication plugin to the latest available version (at least 2.4.1).

**References**

CVE-2022-45073: WordPress REST API Authentication plugin <= 2.4.0 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability in Store Locator plugin <= 1.4.5 on WordPress.

 Verified

 Fixed

**6.1**

CVSS 3.1 score Medium severity

Report  

Monitoring Not reported to be exploited

Vulnerable versions

<= 1.4.5

PSID 

18f5b72d7722

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-09-28

**Details**

Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability was discovered by Nguy Minh Tuan (Patchstack Alliance) in the WordPress Store Locator plugin (versions <= 1.4.5).

**Solution**

Update the WordPress Store Locator WordPress plugin to the latest available version (at least 1.4.6).

**References**

CVE-2022-41615: WordPress Store Locator plugin <= 1.4.5 - Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Media Library Folders plugin <= 7.1.1 on WordPress.

CVE-2022-41634: Media Library Folders

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Viszt Péter's Integration for Szamlazz.hu & WooCommerce plugin <= 5.6.3.2 and Csomagpontok és szállítási címkék WooCommerce-hez plugin <= 1.9.0.2 on WordPress.

 Verified

 Fixed

**5.4**

CVSS 3.1 score Medium severity

Report  

Monitoring Not reported to be exploited

Vulnerable versions

<= 5.6.3.2

PSID 

792f108c7c16

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-10-20

**Details**

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities were discovered by Lana Codes (Patchstack Alliance) in the WordPress Integration for Szamlazz.hu & WooCommerce plugin (versions <= 5.6.3.2).

**Solution**

Update the WordPress Integration for Szamlazz.hu & WooCommerce plugin to the latest available version (at least 5.6.3.3).

**References**

CVE-2022-41685: WordPress Integration for Szamlazz.hu & WooCommerce plugin <= 5.6.3.2 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Booster for WooCommerce plugin <= 5.6.6 on WordPress.

 Verified

 Fixed

**5.4**

CVSS 3.1 score Medium severity

Report  

Monitoring Not reported to be exploited

Vulnerable versions

<= 5.6.6

PSID 

e456ddc909a8

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-10-28

**Details**

Cross-Site Request Forgery (CSRF) vulnerability leading to plugin settings reset discovered by Muhammad Daffa (Patchstack Alliance) in WordPress Booster for WooCommerce plugin (versions <= 5.6.6).

**Solution**

Update the WordPress Booster for WooCommerce plugin to the latest available version (at least 5.6.7).

**References**

CVE-2022-41805: WordPress Booster for WooCommerce plugin <= 5.6.6 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) in Mantenimiento web plugin <= 0.13 on WordPress.

 Verified

 Fixed

**6.1**

CVSS 3.1 score Medium severity

Report  

Monitoring Not reported to be exploited

Vulnerable versions

<= 0.13

PSID 

b957c4e41c55

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-10-31

**Details**

Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) discovered by Rasi Afeef (Patchstack Alliance) in the WordPress Mantenimiento web plugin (versions <= 0.13).

**Solution**

Update the WordPress Mantenimiento web plugin to the latest available version (at least 0.14).

**References**

CVE-2022-38075: WordPress Mantenimiento web plugin <= 0.13 - Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Creative Mail plugin <= 1.5.4 on WordPress.

 Verified

 Fixed

**5.4**

CVSS 3.1 score Medium severity

Report  

Monitoring Not reported to be exploited

Vulnerable versions

<= 1.5.4

PSID 

9bd17320929d

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-10-28

**Details**

Cross-Site Request Forgery (CSRF) vulnerability leading to plugin settings reset discovered by Muhammad Daffa (Patchstack Alliance) in the WordPress Creative Mail plugin (versions <= 1.5.4).

**Solution**

Update the WordPress Creative Mail plugin to the latest available version (at least 1.6.0).

**References**

CVE-2022-40687: WordPress Creative Mail plugin <= 1.5.4 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

 Verified

 Fixed

**5.4**

CVSS 3.1 score Medium severity

Report  

Monitoring Not reported to be exploited

Vulnerable versions

<= 1.5.4

PSID 

44e5f3f1a978

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-10-28

**Details**

Cross-Site Request Forgery (CSRF) vulnerability was discovered by Muhammad Daffa (Patchstack Alliance) in the WordPress Creative Mail plugin (versions <= 1.5.4).

**Solution**

Update the WordPress Creative Mail plugin to the latest available version (at least 1.6.0).

**References**

CVE-2022-40686: WordPress Creative Mail plugin <= 1.5.4 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in wpForo Forum plugin <= 2.0.9 on WordPress.

 Verified

 Fixed

**7.1**

CVSS 3.1 score High severity

Report  

Monitoring Not reported to be exploited

Vulnerable versions

<= 2.0.9

PSID 

cc516f9d86dc

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-11-17

**Details**

Cross-Site Request Forgery (CSRF) vulnerability discovered by dhakal\_ananda (Patchstack Alliance) in WordPress wpForo Forum plugin (versions <= 2.0.9).

**Solution**

Update the WordPress wpForo Forum plugin to the latest available version (at least 2.1.0).

**References**

CVE-2022-40192: WordPress wpForo Forum plugin <= 2.0.9 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in WPML Multilingual CMS premium plugin <= 4.5.13 on WordPress.

 Verified

 Fixed

**4.3**

CVSS 3.1 score Medium severity

Report  

Monitoring Not reported to be exploited

Software

Multilingual CMS

Vulnerable versions

<= 4.5.13

PSID 

9be045ae00bb

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-11-09

**Details**

Cross-Site Request Forgery (CSRF) vulnerability leading to status change of translation job discovered by Dave Jong (Patchstack) in WordPress WPML Multilingual CMS premium plugin (versions <= 4.5.13).

**Solution**

Update the WordPress Multilingual CMS plugin to the latest available version (at least 4.5.14).

**References**

Tag

#csrf