Cross-Site Request Forgery in Companion Auto Update Plugin for WordPress
CVE-2018-20972

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Companion Auto Update
Vendor: CVE Published:; 16 August 2019

Summary

The Companion Auto Update plugin for WordPress versions prior to 3.2.1 is susceptible to a Cross-Site Request Forgery (CSRF) vulnerability. This flaw allows an attacker to trick a logged-in user into executing unintended actions on the WordPress site. By exploiting this weakness, attackers may gain the ability to manipulate plugin settings without the user's consent, potentially leading to unauthorized changes or data exposure. It is essential for users to update the plugin to version 3.2.1 or later to mitigate this security risk.

References

https://wordpress.org/plugins/companion-auto-update/#deve...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Aug 16, 2019
Vulnerability Reserved
Aug 16, 2019