Headline
CVE-2023-2277: Changeset 2904689 for wpdirectorykit/trunk/application/controllers/Wdk_resultitem.php – WordPress Plugin Repository
The WP Directory Kit plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to missing or incorrect nonce validation on the ‘insert’ function. This makes it possible for unauthenticated attackers to update the plugin’s settings and inject malicious JavaScript via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
Timestamp:
04/26/2023 04:45:29 PM (7 weeks ago)
listingthemes
Message:
1.2.0
- Disable cluster on map
- Fix in categories, field visibility configuration
- Map infowindow improvements
- WooCommerce compatibility improvements
- Count issue fix in listings amanage dashboard
- Layout improvements
- Security improvements
- Fixed Open Redirection
- Fixed Cross-Site Request Forgery
- Fixed file url issues
- vendor libs update
File:
- wpdirectorykit/trunk/application/controllers/Wdk_resultitem.php (1 diff)
Legend:
Unmodified
Added
Removed
wpdirectorykit/trunk/application/controllers/Wdk_resultitem.php
r2821684
r2904689
46
46
if($this->form->run($rules))
47
47
{
48
49
// Check \_wpnonce
50
check\_admin\_referer( 'wdk-resultitem-edit\_'.$id, '\_wpnonce' );
51
48
52
// Save procedure for basic data
49
$data = $this->resultitem\_m->prepare\_data($this->input->post(), $rules);
53
$data = $this->resultitem\_m->prepare\_data(wdk\_get\_post(), $rules);
50
54
51
55
// Save standard wp post
Note: See TracChangeset for help on using the changeset viewer.