Security
Headlines
HeadlinesLatestCVEs

Tag

#csrf

CVE-2023-32502: WordPress Pro Mime Types plugin <= 1.0.7 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Sybre Waaijer Pro Mime Types – Manage file media types plugin <= 1.0.7 versions.

CVE
Open in Source
#csrf#vulnerability#wordpress#auth
CVE-2023-32592: WordPress Sunny Search plugin <= 1.0.2 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Palasthotel by Edward Bock, Katharina Rompf Sunny Search plugin <= 1.0.2 versions.

CVE-2023-32587: WordPress WP Reactions Lite plugin <= 1.3.8 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in WP Reactions, LLC WP Reactions Lite plugin <= 1.3.8 versions.

CVE-2023-32579: WordPress Forget About Shortcode Buttons plugin <= 2.1.2 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Designs & Code Forget About Shortcode Buttons plugin <= 2.1.2 versions.

CVE-2023-32512: WordPress ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization plugin <= 3.7.1 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in ShortPixel ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization plugin <= 3.7.1 versions.

GHSA-2rmr-xw8m-22q9: Sentry Next.js vulnerable to SSRF via Next.js SDK tunnel endpoint

### Impact An unsanitized input of Next.js SDK tunnel endpoint allows sending HTTP requests to arbitrary URLs and reflecting the response back to the user. This could open door for other attack vectors: * client-side vulnerabilities: XSS/CSRF in the context of the trusted domain; * interaction with internal network; * read cloud metadata endpoints (AWS, Azure, Google Cloud, etc.); * local/remote port scan. This issue only affects users who have [Next.js SDK tunneling feature](https://docs.sentry.io/platforms/javascript/guides/nextjs/manual-setup/#configure-tunneling-to-avoid-ad-blockers) enabled. ### Patches The problem has been fixed in [sentry/[email protected]](https://www.npmjs.com/package/@sentry/nextjs/v/7.77.0) ### Workarounds Disable tunneling by removing the `tunnelRoute` option from Sentry Next.js SDK config — `next.config.js` or `next.config.mjs`. ### References * [Sentry Next.js tunneling feature](https://docs.sentry.io/platforms/javascript/guides/nextjs/manual-setup/#confi...

CVE-2023-32745: WordPress AutomateWoo plugin <= 5.7.1 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce AutomateWoo plugin <= 5.7.1 versions.

CVE-2023-34024: WordPress WP Full Auto Tags Manager plugin <= 2.2 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Guillemant David WP Full Auto Tags Manager plugin <= 2.2 versions.