WP Lead Plus X <= 0.99 - Multiple Cross-Site Request Forgery (CSRF)



Description
None of the functions in this plugin use nonce checks, so it is possible for an attacker to perform any action that the plugin is capable of by tricking an administrator into clicking a specially crafted link designed to perform that action. This includes capabilities such as adding new pages, replacing existing pages, and inserting malicious JavaScript.

Affects Plugin

References

URL https://www.wordfence.com/blog/2020/04/critical-vulnerabilities-in-the-wp-lead-plus-x-wordpress-plugin/

Classification

Type CSRF
CWE CWE-352

Miscellaneous

Original Researcher Ramuel Gall (Wordfence)
Submitter Ramuel Gall
Views 570
Verified No
WPVDB ID 10169

Timeline

Publicly Published 2020-04-07 (about 2 months ago)
Added 2020-04-07 (about 2 months ago)
Last Updated 2020-04-08 (about 2 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin