Cross-Site Request Forgery Vulnerability in Wicked Folders Plugin for WordPress
CVE-2023-0727

4.3MEDIUM

Key Information:

Vendor
Wordpress
Status
Wicked Folders
Vendor
CVE Published:
7 February 2023

Summary

The Wicked Folders plugin for WordPress is compromised by a Cross-Site Request Forgery vulnerability present in versions up to and including 2.18.16. This security flaw arises from inadequate nonce validation within the ajax_delete_folder function. As a result, unauthenticated attackers could exploit this vulnerability by tricking website administrators into initiating actions through manipulated requests. Such actions may lead to unauthorized alterations in the folder structure that the plugin manages, posing a significant risk to the integrity of website configurations.

Affected Version(s)

Wicked Folders * <= 2.18.16

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/wicked-folders...
https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Marco Wotschka
.