Bitcoin / Altcoin Faucet by Alexey Trofimov <= 1.6.0 - Settings Update to Stored XSS via CSRF
LANACOMMONVDB ID: fde55148-329f-449b-a553-fa88785c7a76
The plugin does not have any Cross-Site Request Forgery (CSRF) check when saving its settings, allowing attacker to make a logged in admin change them via a Cross-Site Request Forgery (CSRF) attack. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting (XSS) issues.
Attributes
- Catgory
- WordPress Plugin
- Discovered
- 2022-08-27
- Published
- 2022-08-31
- Affected Version
- <= 1.6.0
Classification
- Type
- Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS)
Support Us?
We would truly appreciate it if you bought us a bunny (food for a snow leopard).
