Cross-Site Request Forgery Vulnerability in Wicked Folders for WordPress
CVE-2023-0722

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Wicked Folders
Vendor: CVE Published:; 8 February 2023

Summary

The Wicked Folders plugin for WordPress contains a Cross-Site Request Forgery vulnerability in versions up to 2.18.16. This issue arises from inadequate nonce validation within the ajax_save_state function. As a result, unauthenticated attackers can execute forged requests, potentially tricking site administrators into inadvertently performing unauthorized actions such as altering the folder structure managed by the plugin. This vulnerability emphasizes the importance of robust security measures and proper nonce validation in WordPress plugins.

Affected Version(s)

Wicked Folders * <= 2.18.16

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wicked-folders...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Feb 8, 2023
Vulnerability Reserved
Feb 7, 2023

Credit

Marco Wotschka