Cross-Site Request Forgery in 0mk Shortener Plugin for WordPress
CVE-2022-2933

8.8HIGH

Key Information:

Vendor: Wordpress
Status: 0mk Shortener
Vendor: CVE Published:; 6 February 2023

Summary

The 0mk Shortener plugin for WordPress has a vulnerability that allows unauthenticated attackers to exploit a Cross-Site Request Forgery (CSRF). This is due to the absence of robust nonce validation in the zeromk_options_page function. By tricking a site administrator into clicking a malicious link, an attacker can inject harmful web scripts via the 'zeromk_user' and 'zeromk_apikluc' parameters. This vulnerability emphasizes the importance of validating nonces to ensure actions are performed by authenticated users.

Affected Version(s)

0mk Shortener * <= 0.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/0mk-shortener/...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Feb 6, 2023
Vulnerability Reserved
Aug 22, 2022

Credit

Juampa Rodríguez