Cross-Site Request Forgery Vulnerability in WP Private Content Plus Plugin
CVE-2021-4385
8.8HIGH
Summary
The WP Private Content Plus plugin for WordPress is affected by a critical security flaw that permits Cross-Site Request Forgery (CSRF) in versions up to 3.1. The vulnerability stems from inadequate nonce verification within the save_groups() function. This weakness allows attackers to exploit the issue by tricking an administrator into performing unintended actions, such as clicking on a malicious link, thereby enabling unauthorized alterations to group memberships.
Affected Version(s)
WP Private Content Plus * <= 3.1
References
CVSS V3.1
Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Jerome Bruandet