Multiple CSRF Vulnerabilities in HMS Testimonials Plugin for WordPress
CVE-2013-4240

Currently unrated

Key Information:

Vendor: Wordpress
Status: Hms Testimonials
Vendor: CVE Published:; 2 April 2014

Summary

The HMS Testimonials plugin for WordPress prior to version 2.0.11 is susceptible to multiple cross-site request forgery (CSRF) vulnerabilities, allowing remote attackers to exploit this weakness. By leveraging these vulnerabilities, an attacker can manipulate an authenticated administrator’s session to perform unauthorized actions. Specifically, this includes the ability to add new testimonials, create new groups, and modify both default and advanced settings under the WordPress admin panel. This manipulation can lead to significant unauthorized changes within the WordPress site, underscoring the importance of promptly updating to the secured version of the plugin.

References

http://seclists.org/oss-sec/2013/q3/361

mailing-listx_refsource_MLIST

http://seclists.org/oss-sec/2013/q3/345

mailing-listx_refsource_MLIST

http://seclists.org/fulldisclosure/2013/Aug/98

mailing-listx_refsource_FULLDISC

Timeline

Vulnerability published
Apr 2, 2014
Vulnerability Reserved
Jun 12, 2013